Identify



	Control name	Control description

# of rows:

Protect



	Control name	Control description

# of rows:

Detect



	Control name	Control description

# of rows:

Recover



	Control name	Control description

# of rows:

Respond



	Control name	Control description

# of rows:

NIST SP 800-53 REV 5 Audit



This checklist will help you prepare for an NIST SP 800-53 audit. Please do a self assessment for each area. You can read the detailed specification here.

Control name	Readiness score

CMMC Readiness Checklist



ISO 27001 Readiness Checklist



Context – Do you know what needs to be protected?

Have you documented:

All external and internal issues that affect your ISMS
Information security stakeholders and their information security requirements
Dependencies on other organizations that must be considered when determining what needs to be protected and where?

Leadership – Do you know management’s vision?

Can you provide evidence of leadership's vision for:

What information & how information should be protected
How roles, responsibilities & authorities required for information security will be established
How the vision will be made available, communicated, maintained and understood by all parties?

Planning – Do you have a plan to fulfill the vision?

Have you conducted a comprehensive risk assessment that analyzed risk and determined probability of potential impacts to achieving objectives & management’s vision?

Support – Do you have the support the plan needs to be successful?

Can you demonstrate you have the following pieces to support your plan: resources, competencies, awareness, document management process, ability to communicate the plan internally & externally?

Operation – Have you executed your plan?

Can you prove your plan has been executed, per the plan? Have you:

Carried out operational planning and control processes
Confirmed information security risk assessments were conducted as planned
Confirmed information security risk treatment plans were documented and implemented?

Performance Evaluation – Is your plan successful?

Have you demonstrated:

A process for management review of the ISMS
You have conducted internal audits to determine the information security management process complies with your organization’s requirements
The ability to track security metrics?

Improvement – Are you making corrective actions and continual improvements?

Do you have corrective action plans? Are you reacting to nonconformities identifying their root causes and implementing corrective actions to ensure a consistent, improvable, effective & repeatable ISMS is in place?

OFDSS Readiness Checklist



Does your organization have an up-to-date information security policy that establishes scope and accountability across the different domains?

Does your organization have a complete list of data assets?

Does your organization implement a vulnerability assessment and remediation plan?

If your organization is engaged in software development, is there a documented process for software version control, build, and release processes?

Does your organization have a strategy for dealing with applicable privacy and sensitive data handling regulations?

Does your organization have an employee security training program?

Has your organization participated in a third-party assessment of security (pen-test conducted by a 3rd party, SOC2, NIST, or ISO27001 audit)?

SOC2 Readiness Checklist



Gather IT Infrastructure/Cloud Security Documentation

Organizations should gather all relevant security documentation, attestations from their cloud provider or infrastructure provider. Teams may consider gathering documents including:

Cloud provider SOC Reports (SOC 1, SOC 2, SOC 3)
Service Level Agreements (SLAs)
Business Associates’ Agreements (BAA)

Gather Contractor and 3rd Party Vendor Agreements

In addition to gathering IT infrastructure, documentation, organizations should collect all agreements and NDAs signed with contractors and third-party vendors and software companies.

Create Administrative Security Policies

Teams preparing for SOC 2, should develop administrative policies based around the organization’s technologies, staff structure and security goals. Administrative policies should provide the standard operating procedures for managing SOC 2 internal controls. Policies should address topics including – Security Roles, System Access, Disaster Recovery (DR), Risk Assessment & Analysis, and Security Training.

Encryption
Access Control
Network and Firewall

Backup Settings
Intrusion Detection
Vulnerability Scanning and Patching

Determine Scope For SOC 2 Assessment

SOC 2 reports evaluate service organizations on one or more of the five Trust Service Criteria (TSC) – Security, Availability, Processing Integrity, Confidentiality, and Privacy. Teams should consider what criteria will be assessed under a SOC 2 audit.

Determine whether and audit will cover SOC 2 Type I or SOC 2 Type II report.
Determine which Trust Service Criteria (TSC) will be evaluated in the SOC 2 report.

Select An SOC 2 Auditor

After preparing security program, organizations should select a reputable SOC 2 audit firm. A SOC 2 audit may only be conducted by an AICPA-affiliated firm. Teams should look for a firm that has worked with similar size/type companies and has experience conducting previous SOC 2 audits.

Performance Evaluation – Is your plan successful?

Have you demonstrated:

A process for management review of the ISMS
You have conducted internal audits to determine the information security management process complies with your organization’s requirements
The ability to track security metrics?

Improvement – Are you making corrective actions and continual improvements?

Do you have corrective action plans? Are you reacting to nonconformities identifying their root causes and implementing corrective actions to ensure a consistent, improvable, effective & repeatable ISMS is in place?

PCI DSS V4 Readiness Checklist



Identify

Protect

Detect

Recover

Respond

NIST SP 800-53 REV 5 Audit

This checklist will help you prepare for an NIST SP 800-53 audit. Please do a self assessment for each area. You can read the detailed specification here.

CMMC Readiness Checklist

Use this checklist to determine whether you’re ready for your Cybersecurity Maturity Model Certification (CMMC) audit:

If you maintain CUI, make sure you’ve checked these boxes:

ISO 27001 Readiness Checklist

OFDSS Readiness Checklist

SOC2 Readiness Checklist

PCI DSS V4 Readiness Checklist