Checklist for ISO/IEC 27018:2014 (PII), Code of practice for protection of secure information, (DOCX)
Download, DOCX format, 101 pages (also available in PDF format),
Item No.: RCG060aWSEP
Note: The purchase of the checklist comes with 4 hours of free consultation regarding its use and application.
The task of getting information security under control is daunting. The last thing an organization wants in its security management operation is to call in a Notified Body for certification and to find out that the organization is lacking the correct records or documents for the auditor to examine. If you do not read the standard correctly it could cause a security problem or could increase the cost to become certified. That is why we believe a checklist is important.
The authors have carefully reviewed the Standard ISO/IEC 27018:2014 and defined the physical evidence required based upon this classification scheme. The authors have conducted a second review of the complete list to ensure that the documents' producers did not leave out a physical piece of evidence that a "reasonable person" would expect to find. It could certainly be argued that if the document did not call it out then it is not required; however, if the standard was used by an organization to improve its process, then it would make sense to recognize missing documents. Therefore, there are documents specified in this checklist that are implied by the standard, though not specifically called out by it, and they are designated by an asterisk (*) throughout this checklist. If a document is called out more than one time, only the first reference is stipulated.
There are occasional situations in which a procedure or document is not necessarily separate and could be contained within another document. For example, the "Security Monitoring Log Information Record" could be a part of the "Security Monitoring and Operational Diagnostics Log Information Record." The authors have called out these individual items separately to ensure that the organization does not overlook any facet of physical evidence. If the organization does not require a separate document, and an item can be a subset of another document or record, then this fact should be denoted in the detail section of the checklist for that item. This should be done in the form of a statement reflecting that the information for this document may be found in section XX of Document XYZ. If the organizational requirements do not call for this physical evidence for a project, this should also be denoted with a statement reflecting that this physical evidence is not required and why. The reasons for the evidence not being required should be clearly presented in this statement. Further details on this step are provided in the Detail Steps section of the introduction. The size of these documents could vary from paragraphs to volumes depending upon the size and complexity of the project or business requirements.