ISO 9001:2008 Diagnostic
First Name: *
Last Name: *
Company: *
Position: *
Address: *
City: *
ZIP: *
State/Country: *
Phone Number: *
CELL:
Fax Number (if available):
Email: *
Website (if available):
How would you like to be contacted from us? Phone Email *
Number of employees? *
Number of employees with university diploma: *
In how many locations is your company?
What are your company’s activities? *
What products and/or services do you offer? *
How did you hear about DCE Group? *
1. Are most 'successful companies' within your market sector already ISO 27001 registered? Yes No Not sure *
2. Will ISO 27001 certification give your organization a “competitive advantage” over its rivals? Yes No *
3. Will ISO 27001 give your customers confidence on your organization’s product/ service provision? Yes No *
4. Will ISO 27001 enable your organization to better meet its “regulatory” and “legal obligations”? Yes No *
5. Will ISO 27001 help your organization achieve “higher profits”, more sales and reduced costs? Yes No *
6. Does your organization maintain the security of information exchanged within an organization and with any external entity? Yes No *
7. Are formal exchange policies, procedures and controls in place to protect the exchange of information and do they cover the use of all types of communication facilities? Yes No *
8. Have agreements been established for the exchange of information and software between the organization and external parties? Yes No *
9. Are you able to identify (whether documented or not) key “processes” in your company? Yes No *
10. Are media protected against unauthorized access, misuse or corruption during transportation beyond the organization’s physical boundaries? Yes No *
11. Have policies and guidelines been developed and implemented to protect information associated with the interconnection of business information systems? Yes No *
12. Is electronic information passing over public networks protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification? Yes No *
13. Is information involved in on-line transactions protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized message duplication or replay? Yes No *
14. Is the integrity of information made available on a publicly available system protected to prevent unauthorized modification? Yes No *
15. Are ‘Responsibilities and Authorities” clear i.e. does everyone understand their roles? Yes No *
16. Does “management review” the company’s on-going operations and performance? Yes No *
17. Are “resources” regularly planned/reviewed (e.g. Finance, People, Buildings, Equipment)? Yes No *
18. Do you provide “training” to ensure your staff is properly trained to carry out their tasks? Yes No *
19. Are there audit logs recording user activities, exceptions and information security events and are they kept for an agreed period to assist in future investigations and access control monitoring? Yes No *
20. Have procedures for monitoring use of information processing facilities been established and are the results of the monitoring activities reviewed regularly? Yes No *
21. Are logging facilities and log information protected against tampering and unauthorized access? Yes No *
22. Are system administrator and system operator activities logged? Yes No *
23. Are the clocks of all relevant information processing systems within an organization or security domain synchronized with an agreed accurate time source? Yes No *
24. Does the organization control access to information? Yes No *
25. Is there a formal user registration and de-registration procedure for granting and revoking access to all information systems and services? Yes No *
26. Is the allocation of passwords controlled through a formal management process? Yes No *
27. Do users ensure that unattended equipment has appropriate protection? Yes No *
28. Does the organizations have a clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities? Yes No *
29. Does the organization protect networked services from unauthorized access? Yes No *
30. Is a formal policy in place and have appropriate security measures been adopted to protect against the risks of using mobile computing and communication facilities? Yes No *
31. Does the organization protect the confidentiality, authenticity or integrity of information by cryptographic means? Yes No *
32. Does the organization ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken? Yes No *
33. Are information security events reported through appropriate management channels as quickly as possible? Yes No *
34. Are all employees, contractors and third party users of information systems and services required to note and report any observed or suspected weaknesses in systems or services? Yes No *
35. Have management responsibilities and procedures been established to ensure a quick, effective and orderly response to information security incidents? Yes No *
36. Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), is evidence collected, retained and presented to conform to the rules for evidence laid down in the relevant jurisdictions? Yes No
37. Does the organization counteract interruptions to business activities, protect critical business processes from the effects of major failures or disasters and ensure their timely resumption? Yes No
38. Have plans been developed to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, of failure of, critical business processes? Yes No *
39. Does the organization avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements? Yes No *
40. Have appropriate procedures been implemented to ensure compliance with legislative, regulatory and contractual requirements on the user of material in respect of which there may be intellectual property rights and on the use of proprietary software products? Yes No *
41. Does the organization protect important records from loss, destruction and falsification, in accordance with statutory, regulatory , contractual and business requirements? Yes No *
42. Does the organization maximise the effectiveness of and minimize interference to/ from the information systems audit process? Yes No *
Captcha
