ISM Checklist

Why ISM Checklist is needed? What is the importance of ISM Checklist?

1.     If a business is worth doing, then it is worth doing it in a secured manner. Hence, there can not be any compromise. Without a Comprehensive professionally drawn information security Audit Checklist by your side, there is the likelihood that compromise may take place. This compromise is extremely costly for Organizations and Professionals.

2.     Information Security management audit is though very logical but requires a systematic detailed investigative approach. For a newbie entity (organization and professional) there are proverbial many a slips between cup and lips in the realm of information security management' thorough understanding let alone ISO 27001 audit.

3.     Even with several years of experience by an entity's (organization and professional) side, information security assessments (read investigations) go astray due to several reasons including engineered distractions, bias, time constraint, (un)comfortable niches, auditee guided audit (investigation), lack of optimum exposure and experience, etc. 

4.     Each vulnerability/Risk at the organization level, site level, department level, process, sub-process level, device & component level, tools/application level, people level, technology platform level, delivered products/services level, it is humanly possible to miss out a large number of unidentified vulnerabilities/risk due to various reasons including ignorance, rush, vested disinterest, insider threat, connivance between the various working groups, tendency to promote tools for shear commercial interests rather than a holistic security solution, and so on the list is very long. A comprehensive and detailed ISM Checklist enables "carpet bombing" of all ISMS requirements to detect what "exactly" is the compliance and non-compliance status.

5.     What is the biggest risk for an organization? The biggest vulnerability is the "Gang of unidentified risks", lurking in the dark, ready to pounce when the victim organization least expects it. The risks in this Gang, work sympathetically, and in synergy to inflict maximum damage, including corporate Mortality, huge penalties by the customers/clients and regulatory bodies, flight away of business, loss of reputation and brand value, loss of Jobs, Bankruptcy, etc. This becomes very much possible without a professionally drawn comprehensive and robust ISM Checklist by your side. 

6.     Of course, Information security Audit becomes a robust, immensely focussed, efficient, time saver exercise with help of the sharp ISM Checklist. 

Who all can use ISM Checklist?

These detailed Information Security Compliance audit Questions Checklist are useful for-

1.     Organization Planning for ISO 27001 Certification.

2.     Compliance Audits

3.     Gap Assessments prior to mergers and acquisitions, ISO 27001 Certification audit, vendor selection due diligence

4.     Enhancing longevity of the business by helping to conduct business in the most secured manner.

5.     Organizations keen for robust, resilient, and value-added Information Security Management System.

6.   Organizations keen to protect themselves against entire ISMS framework issues from requirements of ISO 27001.

7.     Organizations that want to survive client audits.

8.     Information Security Professionals.

9.     Internal auditors of Information Security Management System

10. External Auditors of Information Security Management System

11. Auditors of the client organizations tasked to assess the ISMS capability of their Service Providers, Vendors, and contractors.

12. Students of Information Security Management System

13. ISO 27001 Lead Auditor Training Participants

14. ISO 27001 Lead Implementer participants

15. Professionals doing Career switchover to Information security.

16. Owners of Business.

17. CTO, CIO, CISO, HODs, ISO 27001 SPOCs from departments, IT Teams, Central Security Team

How many ISM checklists are available?

1. There are two catalogs of ISMS Checklists, namely, "Clause wise Checklist for ISO 27001", and "Department Wise Checklist for ISO 27001".

2. Clause-wise audit checklist span all the clauses of the Information Security Management System framework, i.e., Clause 4 to Clause 10.2 auditable clauses. Clause 1 to Clause 3 are non-auditable clauses and therefore not covered in the Clause-wise checklist. 

3. Department wise Audit Checklists cover all critical Verticals such as the IT department, Software design and Development Department, HR & Training department, Admin department etc.

4. Find Below, both groups of Checklists, namely Table 1 for Clause-wise Checklists, and Table 2  for Department-wise Checklists.

Table 1 - "Clause Wise" ISM Checklist

Table 2 - "Department Wise" ISM Checklist

How to find out which ISM Checklists are suitable for me?

1).  For an organization aiming for ISO 27001 Certification

• Whether aiming for ISO 27001 Certification for the first time or maintaining ISO 27001 Certificate vide periodical Surveillance audits of ISMS, both Clause wise checklist, and department wise checklists are suggested and perform compliance audits as per the checklists.

• The same holds good for performing supplier (IInd party) audits, internal (1st party) audits, external (3rd party, certification) audits. 

• Information security Consultants would require both Clause wise checklists and department wise checklists

2).  For a Head of the department? 

HODs should focus on the checklist of their respective departments only, for example, the Head of the Human Resource department should only focus on "ISO 27001 HR Audit Checklist | 272 Compliance Questions".

3).  For a CISO [Chief Information Security Officer]

CISOs should focus on the ISMS framework checklist, i.e., "ISO 27001 Audit Checklist - Clauses 4 to 10.2 - 1336 Questions". CISO may ensure the organization obtains critical departments checklist centrally.

4).   For a CTO [Chief Technology Officer], and CIO 

CTO, CIO should focus on all IT department Checklists, and "Information Security Risk Management Audit Checklist | Clauses 6.1.1, 6.1.2, 6.1.3, 8.2, 8.3 - 251 Questions".

5).   For IT department professionals 

Look for your domain-specific checklists, for example, Network Security, IT help desk security, Web security, etc  "Information Security Risk Management Audit Checklist | Clauses 6.1.1, 6.1.2, 6.1.3, 8.2, 8.3 - 251 Questions".

6).   For preparing for a Job Interview 

Look for your weak areas and strengthen them with help of checklist questionnaires. The Thumb rule is to make your niches strong with help of a niche /vertical specific checklist. Key point is to walk the talk with the information security management system in your area of operation to land yourself your dream assignment. Everything being equal, functional knowledge + Information security exposure will surge you ahead of your competitors. Look for your domain-specific checklists, for example, Network Security, IT help desk security, Web security, etc  

Important information on ISM Checklist File

File format - Excel compatible for both Mac and Windows

Contains – As described in the description mentioned above

Language - English

File Delivery method - Immediate and Automatic. Through the secure link in the email provided at the time of check-out

Link Validity - 72 hours from the time of receiving the link through email

Invoice - Invoice is generated on your device immediately after successful payment.

Who has Prepared and Who has validated ISM Checklists?

These ISM checklists are prepared by an Expert Panel of IRCA Principal Auditors & Lead Instructors of Information Security Management System having aggregated panel team experience of over 200 years, under the aegis of ISO training Institute. The checklists are validated by the Head of the expert committee and approved by ISO Training Institute.

What is the basis of the ISM Checklist?

The ISM Checklist on Requirements of ISO 27001:2013 follows the cardinals of:-

1. Risk-based thinking (RBT),

2. Process approach, and

3. PDCA (Plan Do Check Act) methodology.

The expert panel of Information Security auditors and Instructors has conducted thousands of Information security audits and Training on ISO 27001. Besides, there is a continuous calibration of the Lead Auditors w.r.t requirements, interpretation, and audit experiences.

How to use ISM Checklist?

1. Securely save the original checklist file, and use the copy of the file as your working document during preparation/conduct of the Information Security Audit.

2. The organization's InfoSec processes are at varying levels of ISMS maturity, therefore, use checklist quantum apportioned to the current status of threats emerging from risk exposure.