ISO27001

Question 1

4.1

Answer 1

Understanding the organization and its context

Question 2

4.2

Answer 2

Understanding the needs and expectations of interested parties

Question 3

4.3

Answer 3

Determining the scope of the information security management system

Question 4

5.1

Answer 4

Leadership and commitment

Question 5

5.2

Answer 5

Policy
Top management shall establish an information security policy that:
a) is appropriate to the purpose of the organization;
b) includes information security objectives (see 6.2) or provides the framework for setting information
security objectives;
c) includes a commitment to satisfy applicable requirements related to information security;
d) includes a commitment to continual improvement of the information security management system.
The information security policy shall:
e) be available as documented information;
f) be communicated within the organization;
g) be available to interested parties, as appropri

Question 6

6.1

Answer 6

Actions to address risks and opportunities

Question 7

6.1.2

Answer 7

Information security risk assessment

Question 8

6.1.3

Answer 8

Information security risk treatment

Question 9

6.2

Answer 9

Information security objectives and planning to achieve them
The organization shall establish information security objectives at relevant functions and levels.
The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and results from risk assessment
and risk treatment;
d) be monitored;
e) be communicated;
f) be updated as appropriate;
g) be available as documented information.
The organization shall retain documented information on the information security objectives.
When planning how to achieve its information security objectives, the organization shall determine:
h) what will be done;
i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.

Question 10

6.3

Answer 10

Planning of changes
When the organization determines the need for changes to the information security management
system, the changes shall be carried out in a planned manner.

Question 11

7 & 7.1

Answer 11

Support
7.1 Resources
The organization shall determine and provide the resources needed for the establishment,
implementation, maintenance and continual improvement of the information security management
system.

Question 12

7.2

Answer 12

Competence
The organization shall:
a) determine the necessary competence of person(s) doing work under its control that affects its
information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or
experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness
of the actions taken; and
d) retain appropriate documented information as evidence of competence.
NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the re-
assignment of current employees; or the hiring or contracting of competent persons.

Question 13

7.3

Answer 13

Awareness
Persons doing work under the organization’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including
the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system
requirements.

Question 14

7.4

Answer 14

Communication
The organization shall determine the need for internal and external communications relevant to the
information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate.

Question 15

7.5

Answer 15

Documented information

Question 16

7.5.1

Answer 16

7.5.1 General
The organization’s information security management system shall include:
a) documented information required by this document; and
b) documented information determined by the organization as being necessary for the effectiveness
of the information security management system.
NOTE The extent of documented information for an information security management system can differ
from one organization to another due to:
1) the size of organization and its type of activities, processes, products and services;
2) the complexity of processes and their interactions; and
3) the competence of persons.

Question 17

7.5.2

Answer 17

7.5.2 Creating and updating
When creating and updating documented information the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
c) review and approval for suitability and adequacy.

Question 18

8 and 8.1

Answer 18

8.1 Operational planning and control
The organization shall plan, implement and control the processes needed to meet requirements, and to
implement the actions determined in Clause 6, by:
— establishing criteria for the processes;
— implementing control of the processes in accordance with the criteria.
Documented information shall be available to the extent necessary to have confidence that the
processes have been carried out as planned.

Question 19

8.2 & 8.3

Answer 19

8.2 Information security risk assessment
The organization shall perform information security risk assessments at planned intervals or when
significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
The organization shall retain documented information of the results of the information security risk
assessments.
8.3 Information security risk treatment
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security risk
treatment.

Question 20

9&9.1

Answer 20

9 Performance Evaluation

9.1 Monitoring, measurement, analysis and evaluation
The organization shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure
valid results. The methods selected should produce comparable and reproducible results to be
considered valid;
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated;
f) who shall analyse and evaluate these results.
Documented information shall be available as evidence of the results.
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.

Question 21

9.2

Answer 21

9.2 Internal audit
9.2.1 General
The organization shall conduct internal audits at planned intervals to provide information on whether
the information security management system:
a) conforms to
1) the organization’s own requirements for its information security management system;
2) the requirements of this document;
b) is effectively implemented and maintained.
9.2.2 Internal audit programme
The organization shall plan, establish, implement and maintain an audit programme(s), including the
frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme(s), the organization shall consider the importance of
the processes concerned and the results of previous audits.
The organization shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management;
Documented information shall be available as evidence of the implementation of the audit programme(s)
and the audit results.

Question 22

9.3 , 9.3.1&9.3.2

Answer 22

9.3 Management review
9.3.1 General
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
9.3.2 Management review inputs
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management
system;
c) changes in needs and expectations of interested parties that are relevant to the information
security management system;
d) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives;
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan;
g) opportunities for continual improvement.
9.3.3 Management review results
The results of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system

Question 23

10 ,10.1 & 10.2

Answer 23

10.1 Continual improvement
The organization shall continually improve the suitability, adequacy and effectiveness of the information
security management system.
10.2 Nonconformity and corrective action
When a nonconformity occurs, the organization shall:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it;
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur
or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity; and
3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
Documented information shall be available as evidence of:
f) the nature of the nonconformities and any subsequent actions taken,
g) the results of any corrective action.