UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS ISMS PROCESS REQUIREMENTS

4.2.1 Establish the ISMS c) Dene the risk assessment approach of the organization. Q1. Consider the following aspects relating to the organizations risk assessment approach.Tick one box for each control requirement Aspect 4.2.1.c.1 Has a risk assessment methodology been identied that is suited to the ISMS, and the identied business information security, legal and regulatory requirements? 4.2.1.c.2 Have criteria for accepting risks and identifying the acceptable levels of risk been developed (see 5.1.f)? 4.2.1.c.3 Does the selected risk assessment methodology ensure that risk assessments produce comparable and reproducible results? Yes Partial No

/ /

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.c.1 4.2.1.c.2 Reasons and justification (with reference to supporting evidence) The Malaysian Public Sector Information Security Information Risk Assexment Methodology (My RAM) Prosedur UUM-DCOP-ISMS-P1-002 LAPORAN PENILAIAN RISIKO The Malaysian Public Sector Information Security Information Risk Assexment Methodology (My RAM)
Muka Surat: 1

Action to be taken

4.2.1.c.3
Versi: 1.0 1 5 April 2012

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.

Versi: 1.0 1 5 April 2012

Muka Surat: 2

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

4.2.1 Establish the ISMS d) Identify the risks. Q1. Consider the following aspects relating to risk identication. Tick one box for each control requirement Aspect 4.2.1.d.1 Is there a process in place and being used for the identication of risks? 4.2.1.d.2 Does this process identify the assets within the scope of the ISMS and the owners of these assets? 4.2.1.d.3 Does this process identify the threats to these assets? 4.2.1.d.4 Does this process identify the vulnerabilities that might be exploited by the threats? 4.2.1.d.5 Does this process identify the impacts that losses of condentiality, integrity and availability may have on the assets? Yes / / / / / Partial No

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.d.1 4.2.1.d.2 4.2.1.d.3 Reasons and justification (with reference to supporting evidence) Prosedur UUM-DCOP-ISMS-P1-002 LAPORAN PENILAIAN RISIKO PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN I C PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) DAN LAMPIRAN 1(F) Action to be taken

Versi: 1.0 1 5 April 2012

Muka Surat: 3

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

4.2.1.d.4 PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) DANLAMPIRAN 1G

PROSEDUR ISMS-DCOP-ISMS-P1-002 4.2.1.d.5 LAMPIRAN 1(C) ,LAMPIRAN 1D DAN LAMPIRAN 1(I) COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.

Versi: 1.0 1 5 April 2012

Muka Surat: 4

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

4.2.1 Establish the ISMS e) Analyse and evaluate the risks. Q1. Consider the following aspects relating to the analysis and evaluation of risks. Tick one box for each control requirement Aspect 4.2.1.e.1 Is there a process in place and being used for analysing and evaluating the risks? 4.2.1.e.2 Does this process assess the business impact upon the organization that might result from a security failure, taking into account the consequences of a loss of condentiality, integrity and availability of the assets? 4.2.1.e.3 Does this process assess the realistic likelihood of such a security failure occurring in the light of prevailing threats and vulnerabilities, and impacts associated with the assets, and the controls currently implemented? 4.2.1.e.4 Does this process estimate the levels of risk? 4.2.1.e.5 Does this process determine whether the risk is acceptable or requires the treatment using the risk acceptance criteria established in 4.2.1.c? Yes / Partial No

/ /

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.e.1 Reasons and justification (with reference to supporting evidence) PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) ,LAMPIRAN 1D, LAMPIRAN 1(I), LAMPIRAN 1(J) DAN LAMPIRAN 1(K) PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) ,LAMPIRAN 1(D) DAN LAMPIRAN 1(I)
Muka Surat: 5

Action to be taken

4.2.1.e.2

Versi: 1.0 1 5 April 2012

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

4.2.1.e.3 PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) ,LAMPIRAN 1(D) DAN LAMPIRAN 1(J) PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) ,LAMPIRAN 1(D) DAN LAMPIRAN 1(L)

4.2.1.e.4 4.2.1.e.5

COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.

Versi: 1.0 1 5 April 2012

Muka Surat: 6

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

4.2.1 Establish the ISMS f) Identify and evaluate options for the treatment of risks. Q1. Consider the following aspect relating to the process of risk treatment.Tick one box for each control requirement Aspect 4.2.1.f.1 Is there a process in place and being used to identify and evaluate options for the treatment of risks? 4.2.1.f.2 Does this process consider the following possible actions: (i) applying appropriate controls; (ii) knowingly and objectively accepting the risks, providing they clearly satisfy the organizations policies and the criteria for risk acceptance (see 4.2.1.c.2); (iii) avoiding the risks; or (iv) transferring the associated business risks to other parties, such as insurers, suppliers? Yes / Partial No

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.f.1 PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) ,LAMPIRAN 1(D) DAN LAMPIRAN 1(M) Reasons and justification (with reference to supporting evidence) Action to be taken

4.2.1.f.2

COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.

Versi: 1.0 1 5 April 2012

Muka Surat: 7

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

4.2.1 Establish the ISMS g) Select control objectives and controls for the treatment of risks. Q1. Consider the following aspect relating to the process of selecting controls.Tick one box for each control requirement Aspect 4.2.1.g.1 Is there a process in place to select and implement control objectives and controls meeting the requirements identied by the risk assessment and risk treatment process? 4.2.1.g.2 Does this selection take account of the criteria for accepting risks (see 4.2.1.c) as well as legal, regulatory and contractual requirements? 4.2.1.g.3 Does the selection process ensure that control objectives and controls are selected from Annex A of ISO/IEC 27001:2005, and that they are suitable to cover the identied requirements? 4.2.1.g.4 Does the selection process allow for the selection of control objectives and controls not in Annex A of ISO/IEC 27001:2005? Yes Partial No

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.g.1 4.2.1.g.2 4.2.1.g.3 Reasons and justification (with reference to supporting evidence) No specific process being applied to select and implement control objectives and controls meeting the requirements identied by the risk assessment and risk treatment process Action to be taken

Versi: 1.0 1 5 April 2012

Muka Surat: 8

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

4.2.1.g.4 COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.

4.2.1 Establish the ISMS h) Obtain management approval of the proposed residual risks. Q1. Consider the following aspect relating to the process of approving the proposed residual risks and the process to obtain management authorization to implement and operate the ISMS. Tick one box for each control requirement Aspect 4.2.1.h.1 Is there a process in place and being used for obtaining management approval of residual risks? Yes / Partial No

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect Reasons and justification (with Action to be taken

reference to supporting evidence) PROSEDUR ISMS-DCOP-ISMS-P1-007 4.2.1.h.1 - Kelulusan Pengarah Pusat Komputer COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.

4.2.2 Implement and operate the ISMS a) Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks (see 5).

Versi: 1.0 1 5 April 2012

Muka Surat: 9

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

Q1. Consider the following aspects relating to the process of formulating the risk treatment plan. Tick one box for each control requirement Aspect 4.2.2.a.1 Is there a process in place and being used for formulating a risk treatment plan that identifies the appropriate management action, responsibilities and priorities for managing information security risks? 4.2.2.a.2 Does this process ensure that the appropriate management action is identified in the risk treatment plan? 4.2.2.a.3 Does this process ensure that the necessary responsibilities and priorities are identified for managing information security risks (see 5)? Yes / / / Partial No

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.2.a.1 4.2.2.a.2 PROSEDUR ISMS-DCOP-ISMS-P1-007 Kelulusan Pengarah Pusat Komputer Reasons and justification (with reference to supporting evidence) Action to be taken

No specific process being applied to ensure that the necessary responsibilities and 4.2.2.a.3 priorities are identified for managing information security risks. COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.

4.2.2 Implement and operate the ISMS b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities. c) Implement controls selected in 4.2.1.g to meet the control objectives.
Versi: 1.0 1 5 April 2012 Muka Surat: 10

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

Q1. Consider the following aspects relating to the process of implementing the risk treatment plan and implemented the selected controls. Tick one box for each control requirement Aspect 4.2.2.b.1 Is there a process in place and being used for implementing the risk treatment plan? 4.2.2.b.2 Does this process ensure that the implemented risk treatment plan achieves the identified control objectives? 4.2.2.b.3 Does this process include the consideration of funding and allocation of roles and responsibilities? 4.2.2.c.1 Is there a process in place and being used for implemented the controls selected in 4.2.1.g? 4.2.2.c.2 Does this process ensure that the controls meet the control objectives? Yes / / Partial No

/ / /

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.2.b.1 4.2.2.b.2 4.2.2.b.3 4.2.2.c.1 4.2.2.c.2 COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.
Versi: 1.0 1 5 April 2012

Reasons and justification (with reference to supporting evidence)

Action to be taken

Mesyuarat Unit DCOP Catatan Perbincangan

Muka Surat: 11

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

4.2.3 Monitor and review the ISMS d) Review risk assessments at planned intervals and review the level of residual risk and identified acceptable risk. Q1. Consider the following aspects relating to the process of reviewing the risk assessment, level of residual risk and identified acceptable risk regularly. Tick one box for each control requirement Aspect 4.2.3.d.1 Is there a process in place and being used for reviewing the risk assessments at planned intervals, and for the review of the level of residual risk and identified acceptable risk? 4.2.3.d.2 Does this process take account of changes to the organization? 4.2.3.d.3 Does this process take account of changes in technology? 4.2.3.d.4 Does this process take account of changes to business objectives and processes? 4.2.3.d.5 Does this process take account of identified threats? 4.2.3.d.6 Does this process take effectiveness of implemented controls? account of the Yes Partial No

4.2.3.d.7 Does this process take account of external events, such as changes to the legal or regulatory environment, changed contractual obligations, and changes in social climate?

Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes.
Versi: 1.0 1 5 April 2012 Muka Surat: 12

UNIVERSITI UTARA MALAYSIA SENARAI SEMAK AUDIT DALAM ISMS

Aspect 4.2.3.d.1 4.2.3.d.2 4.2.3.d.3 4.2.3.d.4 4.2.3.d.5 4.2.3.d.6 4.2.3.d.7

Reasons and justification (with reference to supporting evidence)

Action to be taken

COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.

Versi: 1.0 1 5 April 2012

Muka Surat: 13