ISO 27001:2022 ISMS Assessment

Evaluate alignment with ISO/IEC 27001:2022 requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System

BiotechHealthcareResearchCannabis22 minutes23 questions

1. Context & Leadership (Clauses 4-5)

Have you defined the scope and boundaries of your ISMS?*

Clause 4.3: Scope includes processes, locations, and information assets

Has top management established and communicated an information security policy?*

Clause 5.2: Policy approved by leadership, accessible to all personnel

Are information security roles and responsibilities assigned and documented?*

Clause 5.3: CISO or equivalent role with authority and resources

2. Planning & Risk Assessment (Clause 6)

Do you conduct regular information security risk assessments?*

Clause 6.1.2: Risk assessment methodology defined and consistently applied

Have you documented risk treatment plans with assigned owners?*

Clause 6.1.3: Risk treatment options (avoid, transfer, accept, mitigate)

Are residual risks formally accepted by risk owners?*

Clause 6.1.3d: Documented risk acceptance by authorized personnel

Have you defined measurable information security objectives?*

Clause 6.2: Objectives aligned with policy, monitored and communicated

3. Support & Resources (Clause 7)

Are adequate resources allocated to establish and maintain the ISMS?*

Clause 7.1: Personnel, infrastructure, budget for security operations

Do all personnel receive information security awareness training?*

Clause 7.2: Training on policies, threats, incident reporting

Is ISMS documentation controlled and maintained?*

Clause 7.5: Document control (versioning, approval, retention)

4. Operations & Controls (Clause 8)

Have you implemented Annex A controls based on risk assessment?*

Clause 8.1: Controls selected from ISO 27002 or justified alternatives

Do you maintain a Statement of Applicability (SoA) for all Annex A controls?*

Clause 6.1.3d: SoA documents which controls are implemented and why

Are information security risks assessed and treated in projects and changes?*

Clause 8.1: Security integrated into change management

5. Performance & Improvement (Clauses 9-10)

Do you monitor and measure ISMS performance with defined metrics?*

Clause 9.1: KPIs for control effectiveness and security objectives

Are internal ISMS audits conducted at planned intervals?*

Clause 9.2: Internal audits evaluate compliance and effectiveness

Does management review the ISMS at least annually?*

Clause 9.3: Review of audit results, incidents, metrics, changes

Do you track and resolve nonconformities with corrective actions?*

Clause 10.1: Root cause analysis and effectiveness verification

6. Annex A Controls

Do you maintain an information asset inventory with owners?*

A.5.9: Asset inventory including hardware, software, data, services

Are access rights granted based on principle of least privilege?*

A.5.15-5.18: Access control policies and user access management

Do you use cryptographic controls to protect sensitive information?*

A.5.33-5.34: Encryption for data at rest and in transit

Is an information security incident management process established?*

A.5.24-5.28: Incident detection, reporting, response, and lessons learned

Do you conduct regular vulnerability assessments and penetration testing?*

A.8.8: Technical vulnerability management program

Are information backups performed and tested regularly?*

A.8.13: Backup and recovery procedures verified

Please answer all required questions to see your results