Digital Edge's Compliance team has noticed that organizations and IT/compliance groups lack understanding of mandates for scheduled reviews and audits.
Each cybersecurity standard or framework has its own unique requirements. This article provides information on minimal required reviews and audits by NIST CSF standard.
List of reviews ISO 27001
|
|
Description of review |
Frequency/Occurrence |
Evidence |
|
1 |
Review of internal and external issues that are relevant to organization’s purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
2 |
Review of organization’s interested parties and their requirements to information security. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
3 |
Review of information security management system (ISMS) scope of organization covering external and internal issues, requirements of interested parties and interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
4 |
Management meeting covering: - ISMS - ISMS objectives in relation the strategic direction of the organization - integration of ISMS into the organization’s processes - allocation of resources and personnel to ISMS - internal audit findings - corrective or preventive actions - continuous improvement. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
5 |
Policies and procedures review including: - updating of policies and procedures, if required, due to changes in processes or in the environment (business, industry standards, technical environment) - review of changes made to policies and procedures (who, when and why) - review of how policies and procedures are shared/distributed among employees of the organization. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
6 |
Risk review covering: - risk assessment and acceptance criteria - risk identification and periodical review of such risks - risk treatment options and actual treatment of each risk - review of controls to mitigate or minimize risks - review of statement of applicability (SOA) - risk treatment plan - risk owners and risk approvers - risk treatment plan with allocated risk owners, resources and timeline. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
7 |
Awareness training including training of all employees of organization on ISMS, information security and/or best practices. |
every 12 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot from any application or platform performing such training, evidencing actual employees who took the training |
|
8 |
Internal audit covering ISMS documentation, processes, regular checks/reviews. |
every 12 months |
Results of the review in the form of detailed report |
|
9 |
Development of corrective preventive action plan based on Internal Audit findings. |
every 12 months |
Results of the review in the form of detailed plan |
|
10 |
Review of: - information security roles and responsibilities within organization - segregation of duties - contacts with authorities and special interest groups - implementation of information security in project management. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
11 |
Review of mobile devices usage and teleworking. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
12 |
Review of employees screening process, terms of employment, information security awareness and training, disciplinary process and termination process. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
13 |
Assets inventory review covering list of assets, their owners and users. |
every 6 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot from assets monitoring application/software - Email with results of review |
|
14 |
Information classification review covering: - information classification - information labelling - information/assets handling - media handling/transfer/destruction. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
15 |
User access review covering users access rights determination and definition. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot/email with results of review |
|
16 |
Cryptography review covering actual usage of cryptographic tools, keys management |
every 6 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot/email with results of review |
|
17 |
Physical security review covering: - office/premises security - physical entry controls - protection from external and environmental threats - secured areas - delivery and loading areas - equipment (including maintenance) - supporting utilities - cabling - clear desk policy. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
18 |
Operations security review covering: - change management - capacity management - segregation of development/testing/production networks/environments. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
19 |
Review of malware and antivirus security. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot/email with results of review |
|
20 |
Back-up test and review. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
21 |
User logs (administrator and operator) review covering actual actions of users. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot/email with results of review |
|
22 |
Vulnerability internal scan and review of the scan results |
every 3 months |
Results of the review in the form of detailed report |
|
22 |
Internal and external vulnerability assessment or penetration test with review of results and development of improvement plan |
every 12 months |
Results of the review in the form of detailed report |
|
23 |
Review of system acquisition, development and maintenance covering processes, policies, reporting, checks. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
24 |
Suppliers review covering responsibilities on information security, risk level of a supplier, risk acceptance criteria, contract. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
25 |
Review of Information Security Incident plan. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
26 |
Review of business continuity plan (BCP) and updating it, if required, by existent processes and environment. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
27 |
BCP test review. |
every 12 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot/email with results of review |
|
28 |
Review of applicable information security laws and alike contract obligations. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
29 |
Technical compliance review. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
