You can always press Enter⏎ to continue
Pre-Assessment - ISO/IEC 27001:2022

Pre-Assessment - ISO/IEC 27001:2022

ISO 27001 Pre-Assessment is to evaluate an organization's readiness for the Initial Audit
  • 1

    Disclaimer:

    Pre-assessment aims to assess the readiness for ISO 27001 certification process. The analytical approach in the tool is databrackets' way of determining whether an organization is ready for the certification audit.

    The material contained herein shall not be reproduced, published, or disclosed to others without the authorization of databrackets.

    Press
    Enter
  • 2

    How ready are you for ISO/IEC 27001:2022 Certification Audit?

    Our pre-assessment method is designed specifically for Organizations undergoing the ISO 27001 audit for the first time.

    This pre-assessment will allow you to self-assess your Organization's readiness for an ISO/IEC 27001 ISMS [Information Security Management System] Certification Audit.

    databrackets certification team has created a list of questions for you to complete as part of the pre-assessment to validate that your Organization's processes, procedures, and controls are in place.

    Press
    Enter
  • 3

    Take up the Pre-assessment

    Please go through the questions and provide us with your response to identify where you are in the ISO/IEC 27001 process. Our unique scoring methodology will recommend a go or no-go decision to undergo the certification audit. 

    You will receive a pre-assessment report, which will help you address requirements to bring your ISMS into conformance with the ISO 27001 standard. 

    Press
    Enter
  • 4
    What's this about? The specific information on assets, processes, and organizational boundaries that intended to include within the scope of ISO 27001:2022 implementation. What is needed? A clear and concise description of the boundaries and extent of the audit coverage, including the organizational units, locations, and information assets included in the scope. Evidence Required: 1) Scope of ISMS 2) Strategy / Vision Statement
    Press
    Enter
  • 5
    What's this about? The information security policy should contain a transparent statement that top management supports continual improvement altogether activities. The policy states what the requirements for information security are within the actual context of the organization. The information security policy should contain brief, high-level statements of intent and direction concerning information security. All other policies, procedures, activities, and objectives associated with information security should be aligned to the knowledge security policy What is needed? Please refer to the evidence below and confirm if your organization has information security policies and objectives at relevant functions and levels. Evidence Required: 1) Information Security Policy 2) Information Security Objectives
    Press
    Enter
  • 6
    What's this about? Risk Management consists of two main elements: Risk Assessment (or called Risk Analysis) and Risk Treatment. What are risk assessment and treatment, and what is their purpose? Risk assessment is a process during which an organization should identify information security risks and determine their likelihood and impact. Risk treatment - all risks are not equal. Risk treatment aims to determine which security controls are needed to avoid potential incidents. The focus should be on the risks identified as “unacceptable risks.” What is needed? As part of Risk Assessment and Treatment, do you have a Risk Treatment Plan, Risk Assessment Reports, and Risk Metrics? Evidence Required: 1) Risk Treatment Plan / Process 2) Risk Assessment Reports 3) Risk Metrics
    Press
    Enter
  • 7
    What's this about? Defining, assigning, and communicating roles and responsibilities is important because that is how all employees in the company will know what is expected of them, what their impact is on information security, and how they can contribute. What is needed? Please confirm whether your company has well-defined roles and responsibilities which include confidentiality or non-disclosure agreements. Evidence Required: 1) Confidentiality and Conditions signed by employees/contractors; 2) NDA Documents 3) Third-Party Access Agreements
    Press
    Enter
  • 8
    What's this about? An asset is defined as “anything that has value to the organization.” The purpose of this Inventory is to list all the important information resources and identify their owners. What is needed? Does your organization maintain an inventory of assets and information processing facilities? Evidence Required: 1) Master Asset List / Register
    Press
    Enter
  • 9
    What's this about? Acceptable use of assets is a control used to define the rules for proper use of assets, document, and implement them. Acceptable use of assets is related to assets associated with information and information processing facilities and not related to human assets. What is needed? Is there a rule or policy in place defining the acceptable use of assets? Are the information processing facilities identified, documented, and implemented? Evidence Required: 1) Acceptable use of Assets Policy 2) Desktop Security Agreement
    Press
    Enter
  • 10
    What's this about? Access controls are used wherever an organization stores sensitive information. The purpose of the access control policy is to determine access control rules for the organization. The policy defines rules for access to various systems, equipment, facilities, and information, based on business and security requirements for access. What is needed? Do you have an access control policy documented and reviewed based on business and information security requirements? Evidence Required: 1) Access Authorization 2) Access Administration 3) Periodic Review Of Access Rights 4) Roles With Privileged Access
    Press
    Enter
  • 11
    What's this about? The objective of this control is to ensure correct and secure operations of information processing facilities. Operating procedures must be documented and then made available to all users who need them. Documented operating procedures help to ensure the consistent and effective operation of systems What is needed? Does your organization have operating procedures documented and made available to all users? Evidence Required: 1) Standard Operating Procedures - SOPs 2) Configuration Documents
    Press
    Enter
  • 12
    What's this about? Secure engineering is actually how you will apply security while developing your IT projects. The secure principle is about “Assuring information protection in processing, transit, and storage.”  Security principles for engineering should be established, documented, maintained, and applied to any information system implementation effort. What is needed? Does your organization have Principles for secure engineering systems that are documented, maintained, and applied to information systems? Evidence Required: 1) Secure coding Guidelines 2) OWASP / SANS Considerations
    Press
    Enter
  • 13
    What's this about? Its objective is to ensure the security of assets accessible to suppliers of the organization. The supplier should be agreed with and document information security requirements related to the risk mitigation of access by suppliers to organizational assets. What is needed? Is there an Information security requirement for mitigating the risks associated with supplier’s access? Are they in agreement with the suppliers and documented? Evidence Required: 1) Third-party Access Procedure 2) Related Standard Operating Procedures
    Press
    Enter
  • 14
    What's this about? The purpose of this procedure is to ensure quick detection of security events and weaknesses and quick reaction and response to security incidents. In simple terms, an incident is where some form of loss has occurred around confidentiality, integrity, or availability. It is about the management of information security incidents, events, and weaknesses. What is needed? Are there procedures documented to respond to Information security incidents? Evidence Required: 1) Assigned Roles for Incident Management 2) Logged Incident Reports / Tickets 3) Incident investigation Reports 4) Evidence Collected 5) Lessons Learned (as part of Incident Investigation Report) 6) Actions / Response taken for the reported Incident / Event
    Press
    Enter
  • 15
    What's this about? Business continuity plan means that a company should enable its information security to continue its operations after an incident. Since information security by itself makes no sense, organizations typically plan their business continuity for all the important operations (both business and IT). What is needed? Do you have a Business Continuity Plan that is documented and implemented to handle information security during an adverse situation? Evidence Required: 1) Business Continuity Procedure 2) Business Continuity Plan / Disaster Recovery Plan
    Press
    Enter
  • 16
    What's this about? Mandatory requirements can come in the form of labor laws, IT-related safety requirements, intellectual property rights, copyrights laws, privacy, data encryption, and protection laws. Laws and regulations are living entities that may vary depending on industry branch, country, and the type of information, among other aspects. “All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.” – ISO 27001 A.18.1.1 control What is needed? Does your organization have all relevant legislative statutory, regulatory, and contractual requirements that are explicitly identified, documented, and kept up to date? Evidence Required: 1) Applicable Legal Procedure 2) Review Of Legal Requirements
    Press
    Enter
  • 17
    What's this about? Training, Skills, and qualifications records shall be in accordance with each role/profile. Regarding training and skills, the reference could be training certificates, duration, and their content; For experience, customer reference letters from activities provided by employees. The qualifications can be assessed based on academic qualifications and certifications. It is common to find those records as part of the employees' recruitment process in the Human Resources Department. What is needed? Do you have records that determine the necessary competence of the person(s) doing work under its control? Evidence Required: 1) Records of Training, Skills, Experience, and Qualifications 2) Hiring and New Joinees procedure, Job Description, Induction Checklist 3) Training (L&D) Procedure
    Press
    Enter
  • 18
    What's this about? Organizations to evaluate how the ISMS is performing and look at the effectiveness of the Information Management System. Monitor and measure, not just the objectives but the processes and controls as well. It must also determine the methods for monitoring, measurement, analysis, and evaluation, as applicable, to ensure valid results. What is needed? Does your organization evaluate the information security performance and the effectiveness of the information security management system? Evidence Required: 1) Performance Monitoring Procedure 2) Monitoring & Measurement Of Results (Security Metrics)
    Press
    Enter
  • 19
    What's this about? An ISO 27001 Internal Audit involves a thorough examination of your organization’s ISMS to ensure that it meets the Standard's requirements. Developing an ISO 27001 internal audit program can be beneficial since they enable continual improvement of your framework. What is needed? Does your organization conduct internal audits at planned intervals and prepare internal audit reports? Evidence Required: 1) ISMS internal Audit program / Procedure 2) Internal Audits Schedule 3) Results of Internal Audits
    Press
    Enter
  • 20
    What's this about? It is the responsibility of senior management to conduct the management review for ISO 27001. These reviews should be pre-planned and be often enough to ensure that the Information Security Management System (ISMS) continues to be effective and achieves the aims of the business. The reviews should take place at planned intervals, which generally means at least once per annum. What is needed? Does the top management review the organization’s information security management system at planned intervals and document the reports? Evidence Required: 1) ISMS Management Reviews and their results (Reports)
    Press
    Enter
  • 21
    ISO 27001 requires an organization to continually improve its ISMS. Corrective action is one mechanism to drive improvements and address weaknesses within the system. Corrective action is required by ISO 27001 when a non-conformance or deficiency is identified. What is needed? Does the organization prepare, maintain and update the corrective action taken to resolve any non-conformities? Evidence Required: 1) Results of Corrective Actions (Register or Index of Nonconformities) 2) Corrective Actions Taken 3) Corrective Actions Procedure
    Press
    Enter
  • 22

    Scoring Methodology

    The readiness assessment of the current state of the information security program of your Organization is determined in terms of score.

    The option chosen for each question carries a certain weightage as defined in below table.

    Option Weightage
    Yes 100 
    No  0
    Not Sure  0
    May Be  25

    databrackets has its own algorithm  to calculate the final score based on your responses.

    The final score reflects your organization's readiness for ISO/IEC 27001:2022 certification audit.

    Press
    Enter
  • 23
    Press
    Enter
  • 24
    Press
    Enter
  • 25
    Press
    Enter
  • 26
    You can reach out to us over phone+1 (866) 276-8309 or email us at iso@databrackets.com to engage databrackets for the certification audit.
    Press
    Enter
  • 27
    You can reach out to us over phone +1 (866) 276-8309 or email us at iso@databrackets.com to engage databrackets for the certification audit.
    Press
    Enter
  • 28
    You can reach out to us over phone +1 (866) 276-8309 or email us at iso@databrackets.com to engage databrackets for the certification audit.
    Press
    Enter
  • 29
    Press
    Enter
  • Should be Empty:
Question Label
1 of 29See AllGo Back
close