Checklist ISO 28000

Table of Contents:

4.1 General Requirements4.2 Security Management Policy4.3.1 Security Risk Assessment4.3.2 Legal, Statutory and other Security Regulatory Requirements4.3.3 Security Management Objectives4.3.4 Security Management Targets4.3.5 Security Management Programme4.4.1 Structure, Authority and Responsibilities4.4.2 Competence Training & Awareness4.4.3 Communication4.4.4 Documentation4.4.5 Data and Document Control4.4.6 Operational Control4.4.7 Emergency Preparedness, Response and Security Recovery4.5.1 Security Performance Measuring and Monitoring4.5.2 Systems Evaluation4.5.3 Security-related failures, incidents, non-conformances and corrective and preventive action4.5.4 Control of Records4.5.5 Audits4.6 Management Review and Continual Improvement

Rev 1.0 - 2008-01-06 Page 1/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

4.1 General requirements

Does the organization establish, document, implement, maintain and continually improve an effective security management system?

See also Section 4.4.4 a)

Does the organization continually improve its effectiveness?

See also Section 4.6.

Does the organization define the scope of its security management system?

See also Section 4.4.4 b) and ISO 28001,ch 4.1 Statement of application

Does the organization outsource security relevant processes? In case of outsourced processes, does the organization ensure that such processes are controlled?Are the necessary controls and responsibilities identified within the security management system?

Note: may require auditing of those outsourced processes and their documentation. At least the organiszation has to ensure control of outsourced processes.

4.2 Security management policy

Does the organization’s top management implement a security management policy?

Note: Does the organization have a detailed security management policy for internal use and a summarized version for dissemination to its stakeholders and other interested parties? Split of the policy in those two parts is not mandatory but recommended.

a) Is the policy consistent with other organizational policies? See ISO 28004 4.2 c) Evidence documentation see Section 4.4.4 c). Note: review policies and objectives relevant to the organisations business a whole.

Rev 1.0 - 2008-01-06 Page 2/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceb) Does the security policy provide the alignment of a

framework for security management objectives, targets and programmes?

c) Is the policy consistent with the organization’s overall security threat and risk management framework?

Note: are the measures described therein adequate for addressing the security risks that have been identified? Is the policy effective? This may have to be revisited once Sections 4.3, and 4.5.1-3 have provided sufficient evidence.

d) Is the policy appropriate to the threats to the organization and the nature and scale of its operations?

Note: are the measures described therein adequate for addressing the security risks that have been identified? Is the policy effective? This may have to be revisited once Sections 4.3, and 4.5.1-3 have provided sufficient evidence.

e) Does the policy clearly state the overall/broad security management objectives?

See also Section 4.4.4 a)

f) Does the policy include a commitment to continual improvement of the security management process?

See Section 4.4.1 and 4.6 for evidence.

g) Does the policy include a commitment to comply with current applicable legislation, regulatory and statutory requirements and with other requirements to which the organization subscribes?

See also Section 4.3.2 for evidence of compliance.

h) Is the policy visibly endorsed by top management?

Rev 1.0 - 2008-01-06 Page 3/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencei) Is the policy documented, implemented and maintained? See Section 4.4.1 for evidence.

j) Is the policy communicated to all relevant employees and third parties including contractors and visitors?

See also Section 4.4.3

k) Is the policy available to stakeholders where appropriate? See also Section 4.4.3

l) Does the policy provide for its review in case of the acquisition of, or merger with other organizations, or other change to the business scope of the organization which may affect the continuity or relevance of the security management system?

See also Section 4.4.2.

4.3.1 Security risk assessment

Does the organization have procedures for the ongoing identification and assessment of security threats and security management related threats and risks and the identification and implementation of necessary management control measures?

See also ISO 28001,chapter 5.2 Identification of the scope of security assessment,chapter 5.3 Conduction of the security assessment specifically:

Qualified assessment personnel A documented assessment process

Are the methods for security threats and risk identification, assessment and control appropriate to the nature and scale of the operations?

See also Statement of Application ISO 28001 ch 4.1 and Section 4.1 above.

Does the assessment consider the likelihood of an event and all of its consequences?

Risk Assessment process ISO 28001 Annex B. Note: consider different approaches to RA may be acceptable if they take into account the nature of security-specific risks

Rev 1.0 - 2008-01-06 Page 4/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceDoes the assessment include:

a) Physical failure threats and risks, such as functional failure, incidental damage, malicious damage or terrorist or criminal action?

ISO 28001 Annex B 2. Note: evidence are selection of applicable and relevant scenarios for risk assessments.

b) Operational threats and risks, including the control of the security, human factors and other activities which affect the organizations performance, condition or safety?

ISO 28001 Annex B 2. Note: evidence are selection of applicable and relevant scenarios for risk assessments.

c) Natural environmental events (storm, floods, etc.), which may render security measures?

ISO 28001 Annex B 2. Note: evidence are selection of applicable and relevant scenarios for risk assessments.

d) Factors outside of the organization’s control, such as failures in externally supplied equipment and services?

ISO 28001 Annex B 2. Note: evidence are selection of applicable and relevant scenarios for risk assessments.

e) Stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or brand?

ISO 28001 Annex B 2. Note: evidence are selection of applicable and relevant scenarios for risk assessments.

f) Design and installation of security equipment including replacement, maintenance, etc.?

ISO 28001 Annex B 2. Note: evidence are selection of applicable and relevant scenarios for risk assessments.

g) Information and data management and communications? ISO 28001 Annex B 2. Note: evidence are selection of applicable and relevant scenarios for risk assessments.

Rev 1.0 - 2008-01-06 Page 5/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceh) A threat to continuity of operations? ISO 28001 Annex B 2. Note: evidence are

selection of applicable and relevant scenarios for risk assessments.

Does the organization ensure that the results of these assessments and the effects of these controls are considered?

ISO 28001 Annex B 7-10. Note: Evidence may be found in system evaluation (Section 4.5.2 below) and management review & continual improvement (Section 4.6 below) Other evidence may include:

Contingency Plans Business Continuity Plans Recovery & Business Resumption

Plans Exercises and Exercise Evaluations

See also: ISO 28004 ch 4.3.1 for detailed process. Outputs may be:

Description of risks and control measures

Identification of training & competency requirements

Assessment results provide input to...a) Security management objectives and targets? Note: ensure understanding of distinction

between objectives and targets. Targets should be measurable.

b) Security management programmes? ISO 28004 ch 4.3.5 c) and Section 4.3.5 below.Note: security management programmes should be derived from the targets and shall mention responsibilities, means (how they are achieved) and time-scale.

c) Determination of requirements for the design, specification and installation?

Note: Requirements may be subjected cost-benefit analyses, ALARP determination, legal or regulatory restrictions.

d) Identification of adequate resources including staffing levels?

See Section 4.4.1 below for adequate resources. See Section 4.5.1 (Security Performance) for an indication of adequacy of resources.

Rev 1.0 - 2008-01-06 Page 6/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencee) Identification of training needs and skills? ISO 28004 ch 4.3.1 e). See also Section 4.4.2

below.

f) Development of operational controls? ISO 28004 ch 4.3.1 e) see also Section 4.4.6 below.

g) The organization´s overall threat and risk management framework?

Note: if applicable.

Does the organization document and keep the above mentioned information up to date?

Note: are performance reviews carried out regularly? Are there exercises and exercise evaluations? Is there a continual improvement process which includes Risk Assessment?

Does the organization’s methodology for threat and risk identification and assessment..:

a) Provide for a definition with respect to its scope, nature and timing to ensure it is proactive rather than reactive?

Note: for example does it seek to identify emerging risks and are results factored into response, continuity and recovery plans? Or does it rely on incident response alone? Does if focus on physical security or is it holistic?

b) include the collection of information related to security threats and risks?

ISO 28004 ch 4.3.1 b): For an organisation with no previous (documented) security management system the following information should be considered:

Legislative and regulatory requirements

Identification of security threats, eg from policing and intelligence organisations (or commercial providers of such information)

Examination of vulnerabilities (eg

Rev 1.0 - 2008-01-06 Page 7/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencethrough a performance review or security survey)

Evaluation of previous incidents and emergencies.

c) provide for the classification of threats and risks and identification of those that are to be avoided,eliminated or controlled?

ISO 28001 Annex B 5. Note: other forms of classification are acceptable. Risk matrices may be useful for detailed for better differentiation.

d) provide for the monitoring of actions to ensure effectiveness and the timeliness of theirimplementation?

ISO 28001 Annex B 7 and ISO 28004 4.3.1. d) iii. See also Section 4.5.1.

4.3.2 Legal, statutory and other security regulatory requirements

Does the organization establish, implement and maintain a procedure....

a) to identify and have access to the applicable legal requirements and other requirementswhich the organization subscribes related to its security threat and risks?

b) to determine how these requirements apply to its security threats and risks?

Note: Risk mitigation and prevention (counter measures, response plans and detection methods) shall not only be derived from results of risk assessment but also from legal, statutory and other security requirements. That process

Rev 1.0 - 2008-01-06 Page 8/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceshall be done through identification of objectives, targets and programmes.

Does the organization keep this information up-to-date?

Does the organization communicate relevant information on legal and other requirements to its employees and other relevant third parties including contractors?

4.3.3 Security management objectives

Does the organization establish, implement, and maintain documented security management objectives at relevant functions and levels within the organization?

ISO 28004 4.3.3 b) Ensure the organisation has measurable security objectives consistent with the security policy. Need to be communicated (see section 4.4.2 and deployed through the security management programme (4.3.4)

When establishing and reviewing its objectives did the organization take following points into account?

a) Legal, statutory and other security regulatory requirements?

See also section 4.3.2

Rev 1.0 - 2008-01-06 Page 9/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceb) Security related threats and risks? See also section 4.3.1

c) Technological and other options?

Note: often evidenced through maintenance and calibration records, but may also include – more purposefully:

cost-benefit analyses best practice considerations

d) Financial, operational and business requirements? Such requirements might be: confidentiality of customer

information defined risk management objectives business partner requirements

e) Views of appropriate stakeholders? See also section 4.4.3

Are the security management objectives.....a) consistent with the organization’s commitment to continual

improvement?See also section 4.6. Note: refer to quality management system if it existing.

b) quantified (where practicable)?

Rev 1.0 - 2008-01-06 Page 10/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencec) communicated to all relevant employees and third parties,

including contractors, with the intent thatthese persons are made aware of their individual obligations?

See also section 4.4.3

d) reviewed periodically to ensure that they remain relevant and consistent with the security management policy? Does security management objectives has been amended where necessary accordingly?

See also 4.6. Note: reviews may be achieved through audits, exercises, repetitive risk assessment and up-to-date identification of legal and other requirements.

4.3.4 Security management targetsDoes the organization establish, implement and maintain documented security management targets appropriate to the needs of the organization?

Targets should be the result of, and consistent with, the security policy (see sections 4.2 and 4.3.1). See ISO 28004 for security target requirements. Examples of security targets include:

risk reduction within a given time frame

introduction of new technologies within a given time frame

the elimination or reduction in frequency of particular undesired events.

Does the targets derive from and are they consistent with the security management objectives?

See 4.3.3

Are these targets....a) to an appropriate level of detail? Note: the targets should specify at least:

threat or vulnerability that is being addressed

type of measurement and indicators

Rev 1.0 - 2008-01-06 Page 11/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceb) specific, measurable, achievable, relevant and time-based

(where practicable)?See above and ISO 28004 ch 4.3.4 d)

c) communicated to all relevant employees and third parties including contractors with the intent thatthese persons are made aware of their individual obligations?

See also sections 4.4.2 and 4.4.3

d) reviewed periodically to ensure that they remain relevant and consistent with the security management objectives? Where necessary the targets shall be amended accordingly. Do the targets have been amended accordingly where necessary?

See also section 4.3.5 – should be specified in security management programmes.

4.3.5 Security management programmesDoes the organization establish, implement and maintain security management programmes for achieving its objectives and targets?

Have the programmes been optimized and then prioritized? Does the organization provide the efficient and cost effective implementation of these programmes?

Does the documentation describe...a) designated responsibility and authority for achieving

security management objectives and targets?

Rev 1.0 - 2008-01-06 Page 12/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceb) the means and time-scale by which security management

objectives and targets are to be achieved?

Have the security management programmes been reviewed periodically to ensure that they remain effective and consistent with the objectives and targets? Have the programmes been amended accordingly where necessary?

4.4.1 Structure, authority and responsibilities for security managementDoes the organization establish and maintain an organizational structure of roles, responsibilities andauthorities?

ISO 28004 ch 4.4.1 b) Only security cleared staff should be used for security critical tasks.

Have these roles, responsibilities and authorities been defined, documented and communicated to the individuals responsible for implementation and maintenance?

ISO 28004 ch 4.4.1 d): Define: Top management responsibility Management representative

responsibility Line management responsibility

Document: Security management manuals Work procedures Job descriptions Induction/awareness training

Is the Top management able to provide evidence of its commitment to the development and implementation of thesecurity management system (processes) and continually improving its effectiveness by:

a) appointing a member of top management who, irrespective of other responsibilities, shall be responsible for the overall design, maintenance, documentation and improvement of the organization’s security management system?

Note: One member of top-management must be appointed as being OVERALL responsible for the security management system

Rev 1.0 - 2008-01-06 Page 13/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceb) appointing (a) member(s) of management with the

necessary authority to ensure that the objectivesand targets are implemented?

Note: Further to above one or more management personnel need to be appointed and given the authority to achieve identified objectives and targets. Within each programme further responsibilities are expected to be defined in a large organization.

c) identifying and monitoring the requirements and expectations of the organization’s stakeholders andtaking appropriate and timely action to manage these expectations?

Note: definition of stakeholder according ISO 28000: “person or entity having a vested interest in the organization’s performance, success or the impact of itsActivities, e.g. customers, shareholders, financiers, insurers, regulators, statutory bodies, employees, contractors, suppliers, labour organizations, or society..

d) ensuring the availability of adequate resources? ISO 28004 ch. 4.4.1 d 7): Resources can be considered adequate, if they are sufficient to carry out security programmes and activities, including performance measurement and monitoring. For organisations with established security management systems, the adequacy can be at least partially evaluated by comparing the planned achievement of security objectives with actual results.

e) considering the adverse impact that the security management policy; objectives, targets, programmes,etc. may have on other aspects of the organization?

Note: eg cost-benefit analyses, business impact analyses and change management tools.

f) ensuring any security programmes generated from other parts of the organization complement thesecurity management system?

See Section 4.4.4 c) for evidence. Note. Consider interrelationship with AEO and ISO 20850 (ISPS-Code), C-TPAT and maybe security programmes derived from a quality management system.

g) communicating to the organization the importance of meeting its security management requirementsin order to comply with its policy?

See Section 4.4.3 for evidence.Note: This is about security awareness of staff.

Rev 1.0 - 2008-01-06 Page 14/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceh) ensuring security-related threats and risks are evaluated

and included in organizational threat and riskassessments, as appropriate?

Risk assessment process in place as per ISO 28001 Annex A.1-A.3. Are performance reviews being carried out? (Annex A.3)

i) ensuring the viability of the security management objectives, targets and programmes?

See Section 4.6 for evidence.

4.4.2 Competence, training and awarenessDoes the organization ensure that personnel responsible for the design, operation and management of security equipment and processes are suitably qualified in terms of education, training and/or experience?

ISO 28004 ch 4.4.2: evidence may include: Analysis of training needs Training programmes/plans Training courses Training records/evaluations Security awareness programme Security awareness evaluation

Does the organization establish and maintain procedures to make persons working for it or on its behalf aware of:

ISO 28004 ch 4.4.2: to include contractors, temporary workers and visitors. See also Section 4.2 j).

a) the importance of compliance with the security management policy and procedures, and to therequirements of the security management system?

ISO 28004 ch 4.4.2 d)Note: This is about security awareness.

b) their roles and responsibilities in achieving compliance with the security management policy andprocedures and with the requirements of the security management system, including emergencypreparedness and response requirements?

ISO 28004 ch 4.4.2 d)Note: This is about specific task to be complied with by personnel and persons working on behalf of the organization (training, familiarization etc).

c) the potential consequences to the organization’s security by departing from specified operatingprocedures?

ISO 28004 ch 4.4.2 d)Note: This is about making personnel aware of the consequences if security tasks and procedures are not complied with.

Rev 1.0 - 2008-01-06 Page 15/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceAre records of competence and training kept? ISO 28004 ch 4.4.2 e)

4.4.3 CommunicationDoes the organization have procedures for ensuring that pertinent security management information iscommunicated to and from relevant employees, contractors and other stakeholders?

See ISO 28004 ch 4.3.3, information can be communicated through:

management and employee consultations/councils

employee involvement improvement schemes security briefings notice boards email or print newsletters

Does the organization give because of the sensitive nature of certain security related information, due consideration to the sensitivity of information prior to dissemination?

4.4.4 DocumentationDoes the organization establish and maintain a security management documentation system that includes,but is not limited to the following:

a) the security policy, objectives and targets?

b) description of the scope of the security management system?

Rev 1.0 - 2008-01-06 Page 16/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencec) description of the main elements of the security

management system and their interaction, andreference to related documents?

d) documents, including records, required by this International Standard?

e) determination by the organization to be necessary to ensure the effective planning, operation andcontrol of processes that relate to its significant security threats and risks?

Does the organization determine the security sensitivity of information and took steps to preventunauthorized access?

4.4.5 Document and data controlDoes the organization establish and maintain procedures for controlling all documents, data and information required by Clause 4 of this Specification to ensure that:

a) these documents, data and information can be located and accessed only by authorized individuals?

Authorised Personnel: see ISO 28001 ch 5.8.Note: evidence authorisation procedure if necessary. For example:

Is there an ID system tied to the authorisation procedure?

Does possession of a (fraudulent) ID confer authorisation?

Is data access logged and fraudulent access flagged?

Rev 1.0 - 2008-01-06 Page 17/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceb) these documents, data and information are periodically

reviewed, revised as necessary, andapproved for adequacy by authorized personnel?

Note: For example regular change of passwords, exchange of ID systems etc.

c) current versions of relevant documents, data and information are available at all locations whereoperations essential to the effective functioning of the security management system are performed?

d) obsolete documents, data and information are promptly removed from all points of issue and points of use, or otherwise assured against unintended use?

Note: consider procedures and enforcement for deletion for data:

confidential waste baskets, shredding, electronic purging.

e) archival documents, data and information retained for legal or knowledge preservation purposes orboth are suitably identified?

ISO 28004 ch 4.4.5 e) document control procedures, master lists, indexes, archival location?

f) these documents, data and information are secure, and if in electronic form are adequately backed upand can be recovered?

See also ISO 28001,chapter 5.8 Protection of the security information

4.4.6 Operational controlDoes the organization identify those operations and activities that are necessary for achieving:

Rev 1.0 - 2008-01-06 Page 18/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencea) its security management policy?

b) the control of identified security threats and risks?

c) compliance with legal, statutory and other regulatory security requirements?

d) its security management objectives?

e) the delivery of its security management programmes?

f) the required level of supply chain security?

Does the organization ensure these operations and activities are carried out under specified conditions by:

a) establishing, implementing and maintaining documented procedures to control situations where theirabsence could lead to failure to achieve the operations and activities listed in 4.4.6 a) to f) above?

See also ISO 28001,chapter 5.4 Development of the supply chain security plan

Rev 1.0 - 2008-01-06 Page 19/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

b) evaluating any threats posed from upstream supply chain activities and applying controls to mitigatetheses impacts to the organization and other downstream supply chain operators?

Note: these threats should have been evaluated within the risk assessment and the result adequately been considered when developing objectives, targets, programmes and counter measures.

c) establishing and maintaining the requirements for goods or services which impact on security andcommunicating these to suppliers and contractors?

See also ISO 28001,chapter 4.2 – 4.5 Business partners - Security reviews of business partners

Do the procedures include controls for the design, installation, operation, refurbishment, and modificationof security related items of equipment, instrumentation, etc., as appropriate?

Does the organization consider the associated security threats and risks where existing arrangements arerevised or new arrangements introduced, that could impact on security management operations and activities, before their implementation?

Note: When existing arrangements are revised or new arrangement are introduced, this should be only done when the security impact (change of threats and risks) has been evaluated.

Do the new or revised arrangements to be considered include:

a) revised organizational structure, roles or responsibilities?

b) revised security management policy, objectives, targets or programmes?

Rev 1.0 - 2008-01-06 Page 20/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencec) revised processes and procedures?

d) the introduction of new infrastructure, security equipment or technology, which may include hardwareand/or software?

e) the introduction of new contractors, suppliers or personnel, as appropriate?

4.4.7 Emergency preparedness, response and security recovery

Does the organization establish, implement and maintain appropriate plans and procedures to identify thepotential for, and responses to, security incidents and emergency situations, and for preventing and mitigatingthe likely consequences that can be associated with them?

See section 4.3.1. Identification of the threat to business continuity through risk assessment.

Do the plans and procedures include informationon the provision and maintenance of any identified equipment, facilities or services that can be required duringor after incidents or emergency situations?

Does the organization periodically review the effectiveness of its emergency preparedness, response and security recovery plans and procedures, in particular after the occurrence of incidents or emergency situationscaused by security breaches and threats?

Also the adequacy, eg through risk assessments. See section 4.3.1.Note: Effectiveness may be reviewed after drills and exercises and must be reviewed after incidents or emergency situations:

Rev 1.0 - 2008-01-06 Page 21/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceDoes the organization periodically test these procedures where practicable?

Note: This is about drills and exercises.

4.5.1 Security performance measurement and monitoringDoes the organization establish and maintain procedures to monitor and measure the performance of itssecurity management system?

ISO 28004 ch. 4.5.1 d) Proactive monitoring, eg audits,

inspections, exercises, reviews. Reactive monitoring, eg incident

investigation and analysis.

Does the organization establish and maintain procedures to monitor and measure the security performance?

ISO 28004 ch 4.5.1 d) 2), e.g. - Security inspections - Behaviour sampling- Benchmarking against other security

practises- Stakeholder’s feedback

Does the organization consider the associated security threats and risks, including potential deterioration mechanisms and their consequences, when setting the frequency for measuring and monitoring the key performance parameters?

Note: this is part of the risk assessment. Deterioration mechanisms may be corrosion (fences and equipment housings), low visibility (for CCTV), wildlife (for motion detectors), power cuts (for lighting), computer malfunctions (for DVS or RFID readers)

Do these procedures provide for:a) both qualitative and quantitative measurements,

appropriate to the needs of the organization?ISO 28004 ch 4.5.1 b) and d) 2). Note: measurements should be identified and specified. Measurements could be:

frequency of undesirable events (specified in the risk assessment or sec. management programme)

defined exercise results (scores) Equipment down-times

b) monitoring the extent to which the organization’s security management policy, objectives and targetsare met?

ISO 28004 ch 4.5.1 d)

c) proactive measures of performance that monitor compliance with the security management programs,operational control criteria and applicable legislation, statutory, and other security regulatory

ISO 28004 ch 4.5.1 d) 2) Systematic security

inspections/surveys Pattern analysis reviewing personnel qualifications

Rev 1.0 - 2008-01-06 Page 22/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencerequirements? and effectiveness in fitness reports

benchmarking against good security practices

stakeholder feedbackd) reactive measures of performance to monitor security-

related deteriorations, failures, incidents, nonconformances(including near misses and false alarms) and other historical evidence of deficient security management system performance?

ISO 28004 ch 4.5.1 d) 3)Note: consider also documentation of reactions to false alerts and identification of equipment that is unfit for its intended purpose. Consideration should also be given to the functionality of equipment under adverse conditions.ISO 28004 ch. 4.5.1 d) 5)Contractor equipment/documentation should be subjected to the same controls as in-house equipment.

e) recording data and results of monitoring and measurement sufficient to facilitate subsequent corrective and preventative action analysis?If monitoring equipment is required for performanceand/or measurement and monitoring, does the organization require the establishment and maintenance of procedures for the calibration and maintenance of such equipment?

Are records of calibration and maintenance activities and results retained for sufficient time to comply withlegislation and the organization’s policy?

4.5.2 System evaluation

Does the organization evaluate security management plans, procedures, and capabilities through periodic reviews, testing, post-incident reports, lessons learned, performance evaluations, and exercises?

Rev 1.0 - 2008-01-06 Page 23/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceAre significant changes in these factors reflected immediately in the procedure(s)?

See also ISO 28000 ch 4.5.2 e) Note: evidence may be:

reduced non-conformities or incidents better legal compliance evaluation reports

Does the organization periodically evaluate compliance with relevant legislation and regulations, industry best practices, and conformance with its own policy andobjectives?

Consult sections 4.2, 4.3.2 and 4.3.3.

4.5.3 Security-related failures, incidents, non-conformances and corrective and preventive actionDoes the organization establish, implement and maintain procedures for defining responsibility and authority for…

a) evaluating and initiating preventive actions to identify potential failures of security in order that thatmay be prevented from occurring?

See also ISO 28001,chapter 5.7 Actions required after a security incident

b) the investigation of security-related… See also ISO 28001, ch 5.7 a) Guidance provided in: ISO 28004 ch 4.5.3 d) iv). Note: establish also who carries out the investigations and to which standard.

i) failures including near misses and false alarms?

ii) incidents and emergency situations?

iii) non-conformances?

Rev 1.0 - 2008-01-06 Page 24/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referencec) taking action to mitigate any consequences arising from

such failures, incidents or non-conformances?See also section 4.4.7 or any other contingency planning or emergency preparedness measures.

d) the initiation and completion of corrective actions? See also ISO 28001, ch 5.7 a)

e) the confirmation of the effectiveness of corrective actions taken?

See also ISO 28001, ch 5.7 b) on the assessment of security recovery measures. See also section 4.6 on management review.

Do these procedures require that all proposed corrective and preventive actions are reviewed through thesecurity threat and risk assessment process prior to implementation unless immediate implementationforestalls imminent exposures to life or public safety?

Note: proportionality of the reaction to the security incident. Security measures should not infringe safety or civil liberties.

Are any corrective or preventive actions taken to eliminate the causes of actual and potential non-conformancesappropriate to the magnitude of the problems and commensurate with the security management relatedthreats and risks likely to be encountered?

Note: Focus of new measures should not be solely on preventing the incident that just happened but on the root causes identified by the investigation and corroborated by the risk assessment.

Does the organization implement and record any changes in the documented procedures resulting from corrective and preventive action and does it include the required training where necessary?

Note: May be required by regulators. See also sections 4.3.2 and 4.5.4. for reference.

4.5.4 Control of Records

Does the organization establish and maintain records as necessary to demonstrate conformity to the requirements of its security management system and of this standard, and the results achieved?

See ISO 28004 ch 4.5.4 c). Security records might include:

training and competency records security inspection reports security non-conformances security incident reports security logs (IT and physical) security meeting notes

Rev 1.0 - 2008-01-06 Page 25/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference exercise and drill logs management reviews risk assessment and related

documents security surveys and audits

Does the organization establish, implement and maintain (a) procedure(s) for the identification, storage, protection, retrieval, retention and disposal of records?

Note: digitally stored data too needs physical protection.

Are the records, and do they remain, legible, identifiable and traceable?

Does electronic and digital documentation render tamper proof, securely backed-up and accessible only to authorized personnel?

See also ISO 28001,chapter 5.8 Protection of the security information.Note: digitally stored data too needs physical protection.

4.5.5 Audit

Does the organization establish, implement and maintain a security management audit program?

Does the organization insure that audits of the security management system are carried out at planned intervals, in order to:

Note: Planned intervals are to be understood as being annually.

a) determine whether or not the security management system...

i) conforms to planned arrangements for security management including the requirements ofthe whole of Clause 4 of this specification?

Rev 1.0 - 2008-01-06 Page 26/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceii) has been properly implemented and maintained?

iii) is (are) effective in meeting the organization’s security management policy and objectives?

b) review the results of previous audits and the actions taken to rectify non-conformances?

c) provides information on the results of audits to management?

d) verifies that the security equipment and personnel are appropriately deployed?

Does the audit program include any schedule, based on the results of threat and risk assessments of theorganization’s activities, and the results of previous audits?

Do the audit procedures cover the scope,frequency, methodologies and competencies, as well as the responsibilities and requirements for conductingaudits and reporting results?

Rev 1.0 - 2008-01-06 Page 27/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenceAre the audits conducted by personnel independent of those having direct responsibility for the activity being examined?

4.6 Management review and continual improvementDoes the Top management review the organization's security management system, at planned intervals, toensure its continuing suitability, adequacy and effectiveness?

Note: Planned intervals are to be understood as being annually.

Do reviews include assessing opportunitiesfor improvement and the need for changes to the security management system, including the security policyand security objectives and threats and risks.

See also ISO 28001,chapter 5.6.2 Continual improvement

Are records of the management reviews retained? See section 4.5.4.

Does input to management reviews include:a) results of audits and evaluations of compliance with legal

requirements and with other requirements towhich the organization subscribes?

b) communication(s) from external interested parties, including complaints?

c) the security performance of the organization?

Rev 1.0 - 2008-01-06 Page 28/29

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 referenced) the extent to which objectives and targets have been met?

e) status of corrective and preventive actions?

f) follow-up actions from previous management reviews?

g) changing circumstances, including developments in legal and other requirements related to its securityaspects?

See also section 4.3.1 security risk assessment and 4.3.2 legal requirements.

h) recommendations for improvement?

Do the outputs from management reviews include any decisions and actions related to possible changes tosecurity policy, objectives, targets and other elements of the security management system, consistent with thecommitment to continual improvement?

See also ISO 28004 ch 4.6 e). Outputs include: meeting minutes revisions of security policies and

objectives; amendments of programmes

specific corrective actions with target dates

specific improvement actions with responsibilities and target dates.

date for review of corrective actions new risk appreciation new areas of emphasis

Rev 1.0 - 2008-01-06 Page 29/29