ISO 27001
12 controls
A.5.1
Information Security Policy
"Do you have a written information security policy approved by management?"
What You Need To Do: Write a 2-3 page policy covering data classification, access control, incident response, and acceptable use. Have your CEO or board sign it. Review annually. This is the foundation document that every other control references.
Evidence needed: Signed policy document (PDF), board minutes showing approval, annual review record
A.5.2
Roles & Responsibilities
"Have you assigned clear security responsibilities to specific people?"
What You Need To Do: Define who is responsible for security in your organisation: a CISO (or equivalent), data owners for each system, and an incident response lead. Document these in a RACI matrix.
Evidence needed: RACI matrix, org chart with security roles highlighted, role descriptions
A.5.3
Segregation of Duties
"Can any single person both approve and execute sensitive actions?"
What You Need To Do: Ensure no one person can both approve access AND grant it, or both write code AND deploy it to production. Review all admin accounts for conflicting roles.
Evidence needed: SoD rule documentation, role conflict analysis, exception register
A.8.5
Secure Authentication
"Do all your users need a second factor (phone app, security key) to log in?"
What You Need To Do: Enable Multi-Factor Authentication (MFA) for ALL users, not just admins. If you use Microsoft 365, go to Entra ID > Security > Conditional Access and create a policy requiring MFA. If Google Workspace, enable 2-Step Verification.
Evidence needed: MFA policy screenshots, conditional access policy export, MFA enrollment report
A.5.24
Incident Response Planning
"Do you have a documented plan for when a security incident happens?"
What You Need To Do: Write an Incident Response Plan covering: (1) Who to call, (2) How to contain the breach, (3) When to notify regulators (OAIC requires 72 hours for notifiable breaches), (4) Post-incident review process.
Evidence needed: Incident Response Plan document, contact list, tabletop exercise records
A.8.8
Vulnerability Management
"Do you regularly scan your systems for security vulnerabilities?"
What You Need To Do: Run monthly vulnerability scans on all internet-facing systems. Fix critical findings within 48 hours, high within 7 days. Use Qualys, Nessus, or free OpenVAS. Keep records of every scan and remediation.
Evidence needed: Monthly scan reports, remediation tracking log, patch management records
A.5.19
Supplier Security
"Do your vendors who handle your data have adequate security controls?"
What You Need To Do: List ALL vendors who store or process your data. Check if each has SOC 2 Type II or ISO 27001 certification. Sign a Data Processing Agreement (DPA) with every vendor. Review annually.
Evidence needed: Vendor register, DPA copies, vendor certification evidence, risk assessment
A.6.1
Personnel Screening
"Do you background-check employees before giving them access to sensitive systems?"
What You Need To Do: Implement background checks for all employees who will access sensitive data. For contractors, require agency-provided screening evidence. Document the screening process.
Evidence needed: Background check policy, screening records (redacted), contractor vetting SOP
A.6.3
Security Awareness Training
"Do your staff receive regular security training?"
What You Need To Do: Implement mandatory security awareness training for all staff. Include phishing recognition, password hygiene, data handling, and incident reporting. Track completion. Run quarterly phishing simulations.
Evidence needed: Training completion reports, phishing simulation results, training materials
A.8.9
Configuration Management
"Do you have a formal process for approving changes to production systems?"
What You Need To Do: Establish a Change Advisory Board (CAB) or approval process. All production changes require approval before implementation. Document rollback procedures for each change.
Evidence needed: Change management policy, CAB meeting minutes, change request records
A.5.22
Supplier Monitoring
"Do you continuously monitor your vendors' security posture?"
What You Need To Do: Track vendor certification expiry dates. Set up alerts for vendor breach notifications. Conduct annual vendor security reviews. Use Activitee's VRM module to automate.
Evidence needed: Vendor review schedule, breach monitoring evidence, certification tracker
A.7.1
Physical Security
"Are your offices and data centres physically secure?"
What You Need To Do: If using cloud (AWS, Azure, GCP), physical security is inherited. Document this. If on-premises, implement access badges, CCTV, visitor logs, and secure server rooms.
Evidence needed: Cloud provider SOC 2 report, physical access logs, CCTV policy