HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Information Security Management — ISO/IEC 27001:2022

ISO 27001:2022 Gap Assessment Tool

A comprehensive self-assessment covering all 93 Annex A controls across 4 themes, plus 23 ISMS clause requirements (Clauses 4–10). Rate each control for applicability, implementation status, and maturity. Generate a Statement of Applicability (SoA) and prioritised gap action plan — ready for certification preparation or internal audit.

93Annex A Controls
4Control Themes
11New 2022 Controls
SoAExport Ready
0 / 93 assessed

Annex A Themes

Controls Assessed
0 / 93
A5

A.5 Organisational Controls

5.1 Policies for information security
Standard Requirement
Information security policies shall be defined, approved by management, published, communicated and reviewed at planned intervals.
Evidence to Examine
Signed IS policy; distribution records; review minutes
Audit & Assessment Guidance
Verify a documented IS policy exists, approved at board/executive level. Check it has been communicated to all staff. Confirm review cycle (annually minimum) and evidence of last review.
Applicability
Implementation Status
Maturity Level
5.2 Information security roles and responsibilities
Standard Requirement
Information security roles and responsibilities shall be defined and allocated according to the organisation's needs.
Evidence to Examine
RACI matrix; job descriptions with IS responsibilities; org chart
Audit & Assessment Guidance
Confirm ISMS roles are assigned (CISO/ISM, data owner, system owner, incident coordinator). Check role descriptions. Verify no critical role gaps.
Applicability
Implementation Status
Maturity Level
5.3 Segregation of duties
Standard Requirement
Conflicting duties and conflicting areas of responsibility shall be segregated.
Evidence to Examine
SOD matrix; access control configuration; workflow approval logs
Audit & Assessment Guidance
Review access controls and approval workflows. Confirm no single person can initiate and approve the same transaction. Check IT SOD (developer ≠ production access).
Applicability
Implementation Status
Maturity Level
5.4 Management responsibilities
Standard Requirement
Management shall require all personnel to apply information security in accordance with established policies.
Evidence to Examine
Management security communications; disciplinary records for IS violations
Audit & Assessment Guidance
Confirm management actively enforces security policies. Check evidence of management communications and consequence management for violations.
Applicability
Implementation Status
Maturity Level
5.5 Contact with authorities
Standard Requirement
The organisation shall establish and maintain contact with relevant authorities.
Evidence to Examine
Authority contact register; incident notification procedures
Audit & Assessment Guidance
Verify documented contacts for law enforcement, data protection regulator, and CERT. Confirm contact details are current and notification processes exist.
Applicability
Implementation Status
Maturity Level
5.6 Contact with special interest groups
Standard Requirement
The organisation shall establish and maintain contact with special interest groups.
Evidence to Examine
Membership records; threat intelligence feed subscriptions
Audit & Assessment Guidance
Confirm membership in security groups (ISACs, ISACA, CISA forums). Check threat intelligence is received and acted upon.
Applicability
Implementation Status
Maturity Level
5.7 Threat intelligence
NEW 2022
Standard Requirement
Information relating to information security threats shall be collected and analysed to produce threat intelligence.
Evidence to Examine
Threat intelligence policy; feed subscriptions; analysis records; risk register updates
Audit & Assessment Guidance
Verify a threat intelligence process exists with identified sources (OSINT, vendor advisories, ISACs). Check intelligence feeds into risk assessments and control decisions.
Applicability
Implementation Status
Maturity Level
5.8 Information security in project management
Standard Requirement
Information security shall be integrated into project management.
Evidence to Examine
Project management framework; security checklist in project templates; PIR records
Audit & Assessment Guidance
Review project methodology to confirm security requirements are assessed at initiation. Verify security sign-off is required before go-live.
Applicability
Implementation Status
Maturity Level
5.9 Inventory of information and other associated assets
Standard Requirement
An inventory of information and other associated assets, including owners, shall be developed and maintained.
Evidence to Examine
Asset register; owner assignments; last review date
Audit & Assessment Guidance
Verify an asset register exists covering information assets, hardware, software, and services. Confirm owners are assigned and inventory is current.
Applicability
Implementation Status
Maturity Level
5.10 Acceptable use of information and other associated assets
Standard Requirement
Rules for the acceptable use of information and other associated assets shall be identified, documented and implemented.
Evidence to Examine
Acceptable use policy; staff acknowledgement records; BYOD policy
Audit & Assessment Guidance
Confirm an acceptable use policy (AUP) exists covering email, internet, devices, and data. Verify staff have acknowledged it.
Applicability
Implementation Status
Maturity Level
5.11 Return of assets
Standard Requirement
Personnel and other interested parties shall return all organisational assets upon change or termination.
Evidence to Examine
Offboarding checklist; asset return receipts; leaver records
Audit & Assessment Guidance
Verify offboarding process includes asset return checklist. Check recent termination records for asset returns (laptops, tokens, badges, keys).
Applicability
Implementation Status
Maturity Level
5.12 Classification of information
Standard Requirement
Information shall be classified according to the organisation's information security needs.
Evidence to Examine
Classification policy; scheme document; sample of labelled documents
Audit & Assessment Guidance
Confirm a classification scheme exists (e.g., Public/Internal/Confidential/Restricted). Verify information assets are classified in practice.
Applicability
Implementation Status
Maturity Level
5.13 Labelling of information
Standard Requirement
An appropriate set of procedures for information labelling shall be developed and implemented.
Evidence to Examine
Labelling procedures; DLP tool configuration; sample labelled documents and emails
Audit & Assessment Guidance
Verify procedures for applying classification labels to documents, emails, and data stores. Check consistency of labelling in practice.
Applicability
Implementation Status
Maturity Level
5.14 Information transfer
Standard Requirement
Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities.
Evidence to Examine
Data transfer policy; email encryption config; secure FTP setup; data sharing agreements
Audit & Assessment Guidance
Confirm policies govern data transferred internally and externally. Check email encryption, secure file transfer, and NDAs/data transfer agreements with third parties.
Applicability
Implementation Status
Maturity Level
5.15 Access control
Standard Requirement
Rules to control physical and logical access to information and other associated assets shall be established and implemented.
Evidence to Examine
Access control policy; IAM procedures; JML process; access review records
Audit & Assessment Guidance
Verify access control policy exists aligned to least privilege and need-to-know. Check user provisioning/deprovisioning procedures. Review access review frequency.
Applicability
Implementation Status
Maturity Level
5.16 Identity management
Standard Requirement
The full lifecycle of identities shall be managed.
Evidence to Examine
Identity management procedures; unique account policy; PAM records
Audit & Assessment Guidance
Confirm procedures cover identity creation, modification, and deletion. Check identities are unique (no shared accounts). Verify privileged identities are separately managed.
Applicability
Implementation Status
Maturity Level
5.17 Authentication information
Standard Requirement
Allocation and management of authentication information shall be controlled by a management process.
Evidence to Examine
Password policy; MFA configuration evidence; default credential change records
Audit & Assessment Guidance
Verify password policy meets minimum requirements (length, complexity, history). Check MFA is enforced for remote access and privileged accounts. Confirm default credentials are changed.
Applicability
Implementation Status
Maturity Level
5.18 Access rights
Standard Requirement
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed.
Evidence to Examine
Access request records; access review reports; termination access revocation evidence
Audit & Assessment Guidance
Review access request and approval workflow. Confirm access is reviewed at planned intervals (quarterly/annually). Verify access is revoked promptly on departure.
Applicability
Implementation Status
Maturity Level
5.19 Information security in supplier relationships
Standard Requirement
Processes and procedures to manage the information security risks associated with the use of suppliers' products or services shall be defined and implemented.
Evidence to Examine
Supplier security policy; contract templates with security clauses; supplier assessment questionnaires
Audit & Assessment Guidance
Confirm a supplier security policy exists. Verify security requirements are included in supplier contracts. Check supplier assessment process.
Applicability
Implementation Status
Maturity Level
5.20 Addressing information security within supplier agreements
Standard Requirement
Relevant information security requirements shall be established and agreed with each supplier.
Evidence to Examine
Supplier contracts with security schedules; SLA monitoring records; right-to-audit clauses
Audit & Assessment Guidance
Review a sample of supplier contracts. Confirm security clauses cover data protection, access controls, incident notification, right-to-audit, and subcontractor management.
Applicability
Implementation Status
Maturity Level
5.21 Managing information security in the ICT supply chain
Standard Requirement
Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
Evidence to Examine
Supply chain security policy; software verification procedures; vendor security assessments
Audit & Assessment Guidance
Verify software/hardware supply chain security controls exist. Check supplier integrity verification. Assess third-party software risk management process.
Applicability
Implementation Status
Maturity Level
5.22 Monitoring, review and change management of supplier services
Standard Requirement
The organisation shall regularly monitor, review and manage changes to supplier information security practices and service delivery.
Evidence to Examine
Supplier review meeting minutes; supplier KPI dashboards; change notification records
Audit & Assessment Guidance
Confirm supplier performance reviews include security metrics. Verify process for managing security-impacting changes from suppliers. Check supplier incident notification records.
Applicability
Implementation Status
Maturity Level
5.23 Information security for use of cloud services
NEW 2022
Standard Requirement
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation's information security requirements.
Evidence to Examine
Cloud security policy; cloud risk assessments; data residency documentation; cloud exit procedures
Audit & Assessment Guidance
Verify a cloud security policy exists. Check cloud service risk assessments are conducted before adoption. Confirm data residency, encryption, and exit procedures are addressed.
Applicability
Implementation Status
Maturity Level
5.24 Information security incident management planning and preparation
Standard Requirement
The organisation shall plan and prepare for managing information security incidents by defining, establishing and communicating incident management processes, roles and responsibilities.
Evidence to Examine
Incident response plan; RACI for IR; contact lists; tabletop exercise records
Audit & Assessment Guidance
Confirm an incident response plan (IRP) exists with defined roles, escalation paths, and communication procedures. Verify the plan has been tested.
Applicability
Implementation Status
Maturity Level
5.25 Assessment and decision on information security events
Standard Requirement
The organisation shall assess information security events and decide if they are to be categorised as information security incidents.
Evidence to Examine
Event classification criteria; triage process documentation; event log samples
Audit & Assessment Guidance
Verify an event triage process exists with clear criteria for escalating events to incidents. Check all events are logged and assessed.
Applicability
Implementation Status
Maturity Level
5.26 Response to information security incidents
Standard Requirement
Information security incidents shall be responded to in accordance with the documented procedures.
Evidence to Examine
Incident tickets/records; post-incident review reports; lessons learned register
Audit & Assessment Guidance
Review a sample of past incidents to confirm they were handled per the IRP. Check evidence of containment, eradication, recovery, and lessons learned.
Applicability
Implementation Status
Maturity Level
5.27 Learning from information security incidents
Standard Requirement
Knowledge gained from information security incidents shall be used to strengthen and improve information security controls.
Evidence to Examine
Post-incident review reports; risk register updates; control improvement records
Audit & Assessment Guidance
Confirm a lessons-learned process feeds back into risk assessments and control improvements. Check recurring incident types have resulted in permanent control changes.
Applicability
Implementation Status
Maturity Level
5.28 Collection of evidence
Standard Requirement
The organisation shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
Evidence to Examine
Evidence handling procedures; log retention policy; chain of custody forms
Audit & Assessment Guidance
Verify forensic evidence handling procedures exist. Confirm chain of custody process. Check log retention periods are sufficient to support investigations.
Applicability
Implementation Status
Maturity Level
5.29 Information security during disruption
Standard Requirement
The organisation shall plan how to maintain information security at an appropriate level during disruption.
Evidence to Examine
BCP/DRP documentation; security controls in DR environment; DR test records with security validation
Audit & Assessment Guidance
Confirm BCP/DRP includes information security requirements. Verify security controls are maintained in DR scenarios. Check failover security configuration.
Applicability
Implementation Status
Maturity Level
5.30 ICT readiness for business continuity
NEW 2022
Standard Requirement
ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Evidence to Examine
RTO/RPO definitions; DR procedures; recovery test reports with results vs objectives
Audit & Assessment Guidance
Verify RTO/RPO requirements are defined. Confirm ICT recovery capabilities meet business requirements. Check recovery tests have been conducted and results documented.
Applicability
Implementation Status
Maturity Level
5.31 Legal, statutory, regulatory and contractual requirements
Standard Requirement
Legal, statutory, regulatory and contractual requirements relevant to information security shall be identified, documented and kept up to date.
Evidence to Examine
Legal and regulatory register; compliance calendar; legal review records
Audit & Assessment Guidance
Confirm a legal register exists covering data protection laws, sector regulations, and contractual requirements. Verify it is maintained and reviewed for changes.
Applicability
Implementation Status
Maturity Level
5.32 Intellectual property rights
Standard Requirement
The organisation shall implement appropriate procedures to protect intellectual property rights.
Evidence to Examine
Software asset management records; licence register; employment contracts with IP clause
Audit & Assessment Guidance
Verify software licence management process. Check unlicensed software is prohibited. Confirm IP ownership is addressed in employment contracts.
Applicability
Implementation Status
Maturity Level
5.33 Protection of records
Standard Requirement
Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release.
Evidence to Examine
Records management policy; retention schedule; secure destruction records; access controls on records
Audit & Assessment Guidance
Confirm records management policy covers retention periods, storage requirements, and destruction procedures. Verify records are protected against tampering.
Applicability
Implementation Status
Maturity Level
5.34 Privacy and protection of personal information
Standard Requirement
The organisation shall identify and meet the requirements regarding the preservation of privacy and protection of personal information.
Evidence to Examine
Privacy policy; DPIA records; data subject request procedures; DPO appointment
Audit & Assessment Guidance
Verify a privacy policy and data protection compliance programme exist. Check DPIAs are conducted. Confirm DPO appointed if required.
Applicability
Implementation Status
Maturity Level
5.35 Independent review of information security
Standard Requirement
The organisation's approach to managing information security and its implementation shall be reviewed independently at planned intervals.
Evidence to Examine
Internal audit reports; external assessment reports; management review records; finding tracking log
Audit & Assessment Guidance
Confirm independent reviews (internal audit, external assessment) of the ISMS are conducted. Verify findings are tracked and remediated.
Applicability
Implementation Status
Maturity Level
5.36 Compliance with policies, rules and standards
Standard Requirement
Compliance with the organisation's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
Evidence to Examine
Compliance review reports; non-compliance records and remediation; management review minutes
Audit & Assessment Guidance
Verify compliance reviews are conducted for information security policies. Check non-compliance is escalated and remediated. Confirm management review includes compliance status.
Applicability
Implementation Status
Maturity Level
5.37 Documented operating procedures
Standard Requirement
Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
Evidence to Examine
IT operations procedures; document management system with version control; procedure review records
Audit & Assessment Guidance
Confirm documented procedures exist for key IT operations (backups, patch management, user administration, incident response). Verify procedures are accessible and current.
Applicability
Implementation Status
Maturity Level
A6

A.6 People Controls

6.1 Screening
Standard Requirement
Background verification checks on all candidates for employment shall be carried out prior to joining the organisation and on an ongoing basis.
Evidence to Examine
Screening policy; screening provider records; pre-employment check completions; enhanced screening for admin roles
Audit & Assessment Guidance
Confirm pre-employment screening policy exists. Verify checks include identity, employment history, qualifications, and criminal record (where legally permissible). Check enhanced screening for privileged roles.
Applicability
Implementation Status
Maturity Level
6.2 Terms and conditions of employment
Standard Requirement
Employment contracts shall state the personnel's and the organisation's responsibilities for information security.
Evidence to Examine
Employment contract templates; signed contracts; confidentiality agreement templates
Audit & Assessment Guidance
Review employment contract templates. Confirm they include information security responsibilities, confidentiality obligations, data protection requirements, and acceptable use acknowledgement.
Applicability
Implementation Status
Maturity Level
6.3 Information security awareness, education and training
Standard Requirement
Personnel and relevant interested parties shall receive appropriate information security awareness, education and training.
Evidence to Examine
Training programme records; completion statistics; phishing simulation results; role-based training requirements
Audit & Assessment Guidance
Verify a security awareness programme exists with defined training requirements by role. Check completion rates. Confirm training covers phishing, social engineering, password security, and data handling.
Applicability
Implementation Status
Maturity Level
6.4 Disciplinary process
Standard Requirement
A formal and communicated disciplinary process shall exist to take action against personnel who have committed an information security policy violation.
Evidence to Examine
HR disciplinary policy with IS violations; communication records; anonymised disciplinary records
Audit & Assessment Guidance
Confirm HR disciplinary process includes information security violations. Verify process is communicated to all staff. Check past violations have been handled consistently.
Applicability
Implementation Status
Maturity Level
6.5 Responsibilities after termination or change of employment
Standard Requirement
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated and enforced.
Evidence to Examine
Post-employment clauses in contracts; offboarding checklist; access revocation records
Audit & Assessment Guidance
Verify post-employment confidentiality obligations are in employment contracts. Check offboarding process communicates continuing obligations. Verify access is revoked on termination.
Applicability
Implementation Status
Maturity Level
6.6 Confidentiality or non-disclosure agreements
Standard Requirement
Confidentiality or non-disclosure agreements reflecting the organisation's needs for the protection of information shall be identified, documented, regularly reviewed and signed.
Evidence to Examine
NDA templates; signed NDA register; third-party NDA records; review date of agreement templates
Audit & Assessment Guidance
Confirm NDA/confidentiality agreements are used for employees, contractors, and third parties with access to sensitive information. Verify agreements are current and signed.
Applicability
Implementation Status
Maturity Level
6.7 Remote working
Standard Requirement
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organisation's premises.
Evidence to Examine
Remote working policy; VPN configuration; MDM enrolment records; remote device encryption evidence
Audit & Assessment Guidance
Verify remote working policy exists. Check controls include VPN, encrypted devices, secure Wi-Fi requirements, and clear screen/desk policy. Verify MDM for remote devices.
Applicability
Implementation Status
Maturity Level
6.8 Information security event reporting
Standard Requirement
The organisation shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
Evidence to Examine
Incident reporting procedures; reporting channel config; awareness materials; incident log showing reports received
Audit & Assessment Guidance
Confirm staff know how to report security events. Verify reporting mechanisms (helpdesk, email, hotline). Check all reports are acknowledged and tracked.
Applicability
Implementation Status
Maturity Level
A7

A.7 Physical Controls

7.1 Physical security perimeters
Standard Requirement
Security perimeters shall be defined and used to protect areas that contain information and other associated assets.
Evidence to Examine
Site floor plan with security zones; physical security policy; site survey records
Audit & Assessment Guidance
Verify physical security zones are defined (public, reception, office, data centre). Confirm perimeter security controls are proportionate to risk of each area.
Applicability
Implementation Status
Maturity Level
7.2 Physical entry
Standard Requirement
Secure areas shall be protected by appropriate entry controls and access points.
Evidence to Examine
Access control system records; visitor log; entry control procedures; CCTV at entry points
Audit & Assessment Guidance
Check access controls at entry points (key cards, PIN, biometrics). Verify visitor management procedures. Confirm tailgating prevention. Review access logs for sensitive areas.
Applicability
Implementation Status
Maturity Level
7.3 Securing offices, rooms and facilities
Standard Requirement
Physical security for offices, rooms and facilities shall be designed and implemented.
Evidence to Examine
Office security assessment; server room access logs; clean desk policy; physical security audit records
Audit & Assessment Guidance
Verify offices housing sensitive equipment or information have appropriate physical security (locked doors, clean desk). Check server room/data centre access controls.
Applicability
Implementation Status
Maturity Level
7.4 Physical security monitoring
NEW 2022
Standard Requirement
Premises shall be continuously monitored for unauthorised physical access.
Evidence to Examine
CCTV coverage map; recording retention configuration; alarm system test records; monitoring procedures
Audit & Assessment Guidance
Verify CCTV covers all entry/exit points and sensitive areas. Confirm recordings are retained appropriately (typically 30–90 days). Check intruder alarm system is in place and tested.
Applicability
Implementation Status
Maturity Level
7.5 Protecting against physical and environmental threats
Standard Requirement
Protection against physical and environmental threats, such as natural disasters, malicious attack or accidents shall be designed and implemented.
Evidence to Examine
Environmental controls documentation; UPS/generator test records; fire suppression system maintenance; environmental monitoring alerts
Audit & Assessment Guidance
Verify controls exist for environmental threats (flood, fire, temperature). Check UPS and generator provision. Confirm fire suppression system in server rooms. Review environmental monitoring.
Applicability
Implementation Status
Maturity Level
7.6 Working in secure areas
Standard Requirement
Security measures for working in secure areas shall be designed and implemented.
Evidence to Examine
Secure area working procedures; access control records; clean desk compliance records
Audit & Assessment Guidance
Confirm procedures govern behaviour in secure areas (no photography, clean desk, no unauthorised visitors). Check secure area access is restricted to authorised personnel.
Applicability
Implementation Status
Maturity Level
7.7 Clear desk and clear screen
Standard Requirement
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and implemented.
Evidence to Examine
Clear desk/screen policy; screen lock configuration; compliance spot-check records
Audit & Assessment Guidance
Verify clear desk and screen policies exist. Check compliance through spot-checks or audit records. Confirm screen lock is configured on all workstations.
Applicability
Implementation Status
Maturity Level
7.8 Equipment siting and protection
Standard Requirement
Equipment shall be sited securely and protected.
Evidence to Examine
Equipment placement policy; data centre specifications; workstation placement assessment
Audit & Assessment Guidance
Verify servers and network equipment are appropriately located (temperature controlled, cable management). Check workstations are positioned to prevent shoulder surfing in public areas.
Applicability
Implementation Status
Maturity Level
7.9 Security of assets off-premises
Standard Requirement
Off-site assets shall be protected.
Evidence to Examine
Off-site asset policy; device encryption evidence; lost device reports; remote wipe capability confirmation
Audit & Assessment Guidance
Verify policy governs off-site use of equipment. Confirm laptops and mobile devices are encrypted. Check processes for reporting lost/stolen devices. Verify remote wipe capability.
Applicability
Implementation Status
Maturity Level
7.10 Storage media
Standard Requirement
Storage media shall be managed through its lifecycle of acquisition, use, transportation and disposal.
Evidence to Examine
Media management policy; USB control configuration; media destruction certificates; media register
Audit & Assessment Guidance
Confirm removable media policy exists (USB controls, encryption). Verify media destruction records for disposed media. Check media labelling and handling procedures.
Applicability
Implementation Status
Maturity Level
7.11 Supporting utilities
Standard Requirement
Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Evidence to Examine
UPS specifications; generator test records; redundant connectivity documentation; utility failure procedure
Audit & Assessment Guidance
Verify UPS provision for critical systems. Check generator capacity and test records. Confirm telecoms/internet redundancy. Review utility failure response procedures.
Applicability
Implementation Status
Maturity Level
7.12 Cabling security
Standard Requirement
Cables carrying power or data or supporting information services shall be protected from interception, interference or damage.
Evidence to Examine
Cabling management documentation; cabinet lock configurations; cabling diagram; physical inspection records
Audit & Assessment Guidance
Verify network cabling is protected (conduit, locked cabinets, labelled). Check patch panels are in locked cabinets. Confirm power cabling is segregated from network cabling.
Applicability
Implementation Status
Maturity Level
7.13 Equipment maintenance
Standard Requirement
Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
Evidence to Examine
Equipment maintenance schedule; maintenance records; authorised maintainer list; data protection during maintenance procedures
Audit & Assessment Guidance
Verify a maintenance schedule exists for all hardware. Check records of preventive maintenance. Confirm maintenance is by authorised personnel and data is protected during maintenance.
Applicability
Implementation Status
Maturity Level
7.14 Secure disposal or re-use of equipment
Standard Requirement
Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
Evidence to Examine
Equipment disposal policy; data sanitisation procedures; destruction certificates; disposal records log
Audit & Assessment Guidance
Confirm data sanitisation process exists before equipment disposal or re-use. Check certificates of destruction for hard drives. Verify NIST 800-88 or equivalent standard is applied.
Applicability
Implementation Status
Maturity Level
A8

A.8 Technological Controls

8.1 User endpoint devices
Standard Requirement
Information stored on, processed by or accessible via user endpoint devices shall be protected.
Evidence to Examine
Endpoint security policy; MDM/EDR deployment records; antivirus update logs; patch compliance reports
Audit & Assessment Guidance
Verify endpoint security policy covers configuration hardening, antivirus, patch management, and encryption. Check MDM/EDR deployment. Confirm BYOD requirements if applicable.
Applicability
Implementation Status
Maturity Level
8.2 Privileged access rights
Standard Requirement
The allocation and use of privileged access rights shall be restricted and managed.
Evidence to Examine
PAM solution configuration; privileged account register; quarterly access review records; privileged session logs
Audit & Assessment Guidance
Confirm privileged access is restricted to named individuals with documented justification. Check PAM solution is deployed. Verify privileged accounts are reviewed quarterly. Confirm privileged sessions are logged.
Applicability
Implementation Status
Maturity Level
8.3 Information access restriction
Standard Requirement
Access to information and application system functions shall be restricted in accordance with the established access control policy.
Evidence to Examine
RBAC configuration; access request approvals; application access control settings; database access controls
Audit & Assessment Guidance
Verify role-based access control is implemented. Check access is based on need-to-know. Confirm access restrictions are enforced at application and database level.
Applicability
Implementation Status
Maturity Level
8.4 Access to source code
Standard Requirement
Read and write access to source code, development tools and software libraries shall be appropriately managed.
Evidence to Examine
Source code repository access controls; branch protection rules; developer-production SOD evidence; code review records
Audit & Assessment Guidance
Confirm source code repositories have access controls restricting who can read, write, and merge code. Check production access is restricted to operations. Verify code review requirements.
Applicability
Implementation Status
Maturity Level
8.5 Secure authentication
Standard Requirement
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the access control policy.
Evidence to Examine
MFA configuration evidence; password policy; session timeout configuration; authentication failure logs
Audit & Assessment Guidance
Verify MFA is enforced for all remote access, privileged accounts, and sensitive applications. Check password policy meets requirements. Confirm session timeout is configured.
Applicability
Implementation Status
Maturity Level
8.6 Capacity management
Standard Requirement
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
Evidence to Examine
Capacity monitoring dashboards; alert threshold configuration; capacity planning reports
Audit & Assessment Guidance
Confirm capacity monitoring is in place for servers, networks, and storage. Check capacity thresholds trigger alerts. Verify capacity planning reviews are conducted.
Applicability
Implementation Status
Maturity Level
8.7 Protection against malware
Standard Requirement
Protection against malware shall be implemented and supported by appropriate user awareness.
Evidence to Examine
Anti-malware deployment evidence; definition update logs; email/web filter configuration; malware incident records
Audit & Assessment Guidance
Verify anti-malware is deployed on all endpoints and servers. Check definitions are automatically updated. Confirm email and web filtering include anti-malware scanning. Review malware incident records.
Applicability
Implementation Status
Maturity Level
8.8 Management of technical vulnerabilities
Standard Requirement
Information about technical vulnerabilities of information systems in use shall be obtained, the organisation's exposure evaluated and appropriate measures taken.
Evidence to Examine
Vulnerability scanning reports; patch SLA policy; remediation tracking records; penetration test reports
Audit & Assessment Guidance
Confirm a vulnerability management programme exists with regular scanning. Check patch SLAs by severity (Critical: 7 days, High: 30 days). Verify remediation tracking. Confirm penetration testing is conducted.
Applicability
Implementation Status
Maturity Level
8.9 Configuration management
NEW 2022
Standard Requirement
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Evidence to Examine
CMDB/asset configuration records; security baseline standards; configuration compliance scan results; deviation approval records
Audit & Assessment Guidance
Verify a CMDB or equivalent exists. Check security baselines (CIS benchmarks or equivalent) are applied. Confirm deviations from baseline require approval.
Applicability
Implementation Status
Maturity Level
8.10 Information deletion
NEW 2022
Standard Requirement
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Evidence to Examine
Data retention and deletion policy; retention schedule; deletion execution records; automated deletion tool configuration
Audit & Assessment Guidance
Confirm data retention and deletion policy exists with defined retention periods. Verify deletion is performed when retention period expires. Check automated deletion tools or manual processes.
Applicability
Implementation Status
Maturity Level
8.11 Data masking
NEW 2022
Standard Requirement
Data masking shall be used in accordance with the organisation's access control policy and other related policies, and business requirements, taking applicable legislation into consideration.
Evidence to Examine
Data masking policy; masking tool configuration; test environment data validation; non-production data handling records
Audit & Assessment Guidance
Verify sensitive data (PII, payment data) is masked or pseudonymised in non-production environments. Check data masking tools are deployed. Confirm masking is applied before data is provided to development/test teams.
Applicability
Implementation Status
Maturity Level
8.12 Data leakage prevention
NEW 2022
Standard Requirement
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
Evidence to Examine
DLP solution deployment; DLP policy configuration; DLP alert logs; incident records for DLP violations
Audit & Assessment Guidance
Verify DLP controls are deployed covering email, web, removable media, and cloud uploads. Check DLP policies match data classification. Review DLP alert response process.
Applicability
Implementation Status
Maturity Level
8.13 Information backup
Standard Requirement
Backup copies of information, software and system images shall be taken and tested regularly in accordance with the agreed backup policy.
Evidence to Examine
Backup policy; backup schedule configuration; restoration test records with results; backup success monitoring logs
Audit & Assessment Guidance
Confirm backup policy exists covering frequency, retention, off-site storage, and encryption. Verify backup restoration is tested at least annually. Check backup success rate monitoring.
Applicability
Implementation Status
Maturity Level
8.14 Redundancy of information processing facilities
Standard Requirement
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
Evidence to Examine
Redundancy design documents; failover test records; HA configuration; RTO/RPO compliance evidence
Audit & Assessment Guidance
Verify redundancy requirements are defined for critical systems (HA, failover, load balancing). Confirm redundancy is implemented and tested. Check RTO/RPO are met in failover tests.
Applicability
Implementation Status
Maturity Level
8.15 Logging
Standard Requirement
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
Evidence to Examine
Logging policy; SIEM configuration; log retention settings; log integrity controls; sample log outputs
Audit & Assessment Guidance
Verify logging is enabled for all critical systems covering authentication, access, changes, and errors. Confirm log retention meets requirements. Check log integrity protection. Verify SIEM is deployed.
Applicability
Implementation Status
Maturity Level
8.16 Monitoring activities
NEW 2022
Standard Requirement
Networks, systems and applications shall be monitored and anomalies evaluated.
Evidence to Examine
Monitoring platform configuration; alert rules; SOC procedures; incident response time records
Audit & Assessment Guidance
Confirm continuous monitoring of networks, systems, and applications is in place. Verify alerts are generated for anomalous activity. Check SOC or monitoring team coverage and response times.
Applicability
Implementation Status
Maturity Level
8.17 Clock synchronisation
Standard Requirement
The clocks of information processing systems used by the organisation shall be synchronised to approved time sources.
Evidence to Examine
NTP configuration on all systems; time synchronisation monitoring; time source documentation
Audit & Assessment Guidance
Verify all systems use NTP with authoritative time sources. Check time synchronisation is monitored. Confirm time zone management for geographically distributed systems.
Applicability
Implementation Status
Maturity Level
8.18 Use of privileged utility programs
Standard Requirement
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
Evidence to Examine
Privileged utility access controls; usage logs; approved utility list; access restriction configuration
Audit & Assessment Guidance
Confirm privileged utilities (debug tools, OS utilities, admin tools) are restricted to authorised administrators. Check usage is logged. Verify non-admins cannot access privileged utilities.
Applicability
Implementation Status
Maturity Level
8.19 Installation of software on operational systems
Standard Requirement
Procedures and measures shall be implemented to securely manage software installation on operational systems.
Evidence to Examine
Software installation policy; application whitelisting configuration; change management records for software installation
Audit & Assessment Guidance
Verify a software installation policy restricts who can install software on production systems. Check application whitelisting is deployed. Confirm change management is required for software installation.
Applicability
Implementation Status
Maturity Level
8.20 Networks security
Standard Requirement
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
Evidence to Examine
Network security policy; firewall configuration; network diagram with segmentation; IDS/IPS deployment evidence
Audit & Assessment Guidance
Verify network security policy exists. Check firewalls, IDS/IPS are deployed and configured. Confirm network segmentation separates critical systems. Verify DMZ for internet-facing services.
Applicability
Implementation Status
Maturity Level
8.21 Security of network services
Standard Requirement
Security mechanisms, service levels and service requirements of all network services shall be identified, implemented and monitored.
Evidence to Examine
Network service security requirements; service monitoring dashboards; ISP/network provider SLAs with security requirements
Audit & Assessment Guidance
Verify network service agreements include security requirements. Check network services (DNS, DHCP, remote access) are secured and monitored. Confirm service level monitoring is in place.
Applicability
Implementation Status
Maturity Level
8.22 Segregation of networks
Standard Requirement
Groups of information services, users and information systems shall be segregated in networks.
Evidence to Examine
Network segmentation documentation; VLAN configuration; firewall rules between segments; network diagram
Audit & Assessment Guidance
Confirm network segmentation is implemented using VLANs, firewalls, or physical separation. Check production, development, and test environments are segregated. Verify guest network is isolated.
Applicability
Implementation Status
Maturity Level
8.23 Web filtering
NEW 2022
Standard Requirement
Access to external websites shall be managed to reduce exposure to malicious content.
Evidence to Examine
Web filtering solution deployment; category block list; bypass request process; web filtering logs
Audit & Assessment Guidance
Verify web filtering/proxy is deployed restricting access to malicious and inappropriate sites. Check categories are appropriately configured. Confirm bypass requests are controlled.
Applicability
Implementation Status
Maturity Level
8.24 Use of cryptography
Standard Requirement
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
Evidence to Examine
Cryptography policy; encryption configuration (TLS versions, algorithm suites); key management procedures; certificate management records
Audit & Assessment Guidance
Confirm cryptography policy covers approved algorithms, key lengths, and key management. Verify encryption is applied to data at rest and in transit. Check key lifecycle management procedures.
Applicability
Implementation Status
Maturity Level
8.25 Secure development lifecycle
Standard Requirement
Rules for the secure development of software and systems shall be established and applied.
Evidence to Examine
SSDLC policy; security requirements templates; SAST/DAST tool configuration; security testing records
Audit & Assessment Guidance
Verify an SSDLC policy exists. Check security requirements are defined at design stage. Confirm SAST/DAST tools are used. Verify security testing is conducted before release.
Applicability
Implementation Status
Maturity Level
8.26 Application security requirements
Standard Requirement
Information security requirements shall be identified, specified and approved when developing or acquiring applications.
Evidence to Examine
Application security requirements template; requirements sign-off records; OWASP alignment documentation
Audit & Assessment Guidance
Verify security requirements are documented for all application development/procurement. Check OWASP Top 10 is addressed. Confirm security requirements sign-off is required before development starts.
Applicability
Implementation Status
Maturity Level
8.27 Secure system architecture and engineering principles
Standard Requirement
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation.
Evidence to Examine
Security architecture principles document; design review records; architecture approval process
Audit & Assessment Guidance
Confirm security architecture principles are documented (defence in depth, least privilege, zero trust). Verify architects apply principles in system design. Check design review process includes security.
Applicability
Implementation Status
Maturity Level
8.28 Secure coding
NEW 2022
Standard Requirement
Secure coding principles shall be applied to software development.
Evidence to Examine
Secure coding standards; code review checklists with security items; developer security training records; SAST scan results
Audit & Assessment Guidance
Verify a secure coding standard is documented and communicated to developers. Check code reviews include security checks. Confirm developers receive secure coding training.
Applicability
Implementation Status
Maturity Level
8.29 Security testing in development and acceptance
Standard Requirement
Security testing processes shall be defined and implemented in the development and acceptance phases.
Evidence to Examine
Security testing policy; test results for recent releases; defect tracking records; sign-off on security testing before go-live
Audit & Assessment Guidance
Confirm security testing is embedded in the SDLC (unit testing, integration, UAT, pen testing). Check security test results are tracked and remediated before production release.
Applicability
Implementation Status
Maturity Level
8.30 Outsourced development
Standard Requirement
The organisation shall direct, monitor and review the activities related to outsourced system development.
Evidence to Examine
Outsourced development contracts with security clauses; code review records; acceptance test results
Audit & Assessment Guidance
Verify contracts with outsourced development partners include security requirements. Check code reviews are conducted on outsourced code. Confirm security testing is required before acceptance.
Applicability
Implementation Status
Maturity Level
8.31 Separation of development, test and production environments
Standard Requirement
Development, testing and production environments shall be separated and secured.
Evidence to Examine
Environment separation architecture; data masking in test/dev; change promotion process; access controls per environment
Audit & Assessment Guidance
Confirm development, test, and production environments are physically or logically separated. Verify production data is not used in test/development (or is masked). Check changes move through environments via controlled process.
Applicability
Implementation Status
Maturity Level
8.32 Change management
Standard Requirement
Changes to information processing facilities and information systems shall be subject to change management procedures.
Evidence to Examine
Change management policy; change request records; CAB records; post-implementation review records
Audit & Assessment Guidance
Verify a formal change management process exists covering request, assessment, approval, testing, implementation, and post-implementation review. Check all production changes are logged.
Applicability
Implementation Status
Maturity Level
8.33 Test information
Standard Requirement
Test information shall be appropriately selected, protected and managed.
Evidence to Examine
Test data management policy; data masking tool outputs; test environment access controls; test data disposal records
Audit & Assessment Guidance
Verify test data is either synthetic or has been anonymised/masked. Confirm access to test environments with real data is restricted. Check test data is disposed of after use.
Applicability
Implementation Status
Maturity Level
8.34 Protection of information systems during audit testing
Standard Requirement
Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed to minimise disruptions to business processes.
Evidence to Examine
Audit planning documentation; agreed scope and access controls; audit tool controls; post-audit access revocation records
Audit & Assessment Guidance
Confirm IT audit activities are agreed in advance with system owners. Verify read-only access is used where possible. Check audit tools are controlled. Confirm audit activities are logged.
Applicability
Implementation Status
Maturity Level

ISO 27001 Implementation & Audit Support

CTC Global delivers ISO 27001:2022 gap assessments, ISMS implementation advisory, and cybersecurity audit training for organisations seeking certification or maintaining compliance — across Pakistan and UAE.