| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ID | Key Action Step | Action | Expected Outcome | Data Source / Evaluation Methodology | Skill | Responsible | Timeline | Reference | Comment | ||||||||||||||||
2 | 1.0 | Gap Analysis Information Security Management System ISO 27001 | Planning and performing a gap-analysis based on ISO 27001 | Report with recommendations how to comply with ISO 27001 | * Interview * Documentation Review * Site visit | AUD, ISM, RM | ||||||||||||||||||||
3 | 1.1 | Scoping | Read all relevant documentation of the organizational structure and talk with stakeholders to identify boundaries, external groups, etc. to define the scope of the audit. | Agreed ISMS audit scope. | * Interview * Documentation Review | AUD, ISM | ||||||||||||||||||||
4 | 1.2 | Pre-Audit | Read all relevant documentation of the ISMS in order to become acquainted with the processes in the management system and to find out if there are non-conformities in the (mandatory) documentation with regard to ISO 27001 | Base for creating a (customized) audit workplan/checklist in consideration of the Statement of Applicability. | * Interview * Documentation Review | AUD, ISM | ||||||||||||||||||||
5 | 1.3 | Preparing for main audit | Collect and study previous audit findings and possible outstanding issues. * Prepare all relevant documents that will be needed for the realization of the audit. * Create a audit checklist (must be in-depth and based on ISO 27001, following a predefined path and checking for compliance with controls). | (Customized) audit workplan/checklist and an audit plan agreed with management. | * Interview * Documentation Review | AUD, ISM | ||||||||||||||||||||
6 | 1.4 | Planning the main audit | * Plan which departments and/or locations to visit and which ressources are needed. * Ensure the availability of all the resources needed and other logistics that may be required by the auditor. | Detailed workplan with committited ressources. | * Interview * Documentation Review | AUD, ISM, RM | ||||||||||||||||||||
7 | 1.5 | Performing the audit | Perform the audit and try to find adequate evidence to ascertain that: * The ISMS is compliant with ISO 27001 (further information in the following sheets - ref. checklist 27001, Annex A) * The information security policy is still an accurate reflection of the business requirements. * An appropriate risk assessment methodology is being used. * The documented procedures are being followed (i.e. within the scope of the ISMS) and are meeting their desired objectives. * Technical controls (e.g. firewalls, physical access controls) are in place, are correctly configured and working as intended. * The residual risks have been assessed correctly and are still acceptable to the management of the company. | Documented audit findings | * Interview * Documentation Review * Site visit | AUD, ISM, LG, RM | ||||||||||||||||||||
8 | 1.6 | Reporting | Summarize all the (non)conformities and write an audit report | Report | AUD | |||||||||||||||||||||
9 | ||||||||||||||||||||||||||
10 | 2.0 | Gap Analysis Business Continuity Management System ISO 22301 | Planning and performing a gap-analysis based on ISO 22301 | Report with recommendations how to comply with ISO 22301 | * Interview * Documentation Review * Site visit | AUD, BCM, RM | ||||||||||||||||||||
11 | 2.1 | Scoping | Read all relevant documentation of the organizational structure and talk with stakeholders to identify boundaries, external groups, etc. to define the scope of the audit. | Agreed BCMS audit scope. | * Interview * Documentation Review | AUD, BCM | ||||||||||||||||||||
12 | 2.2 | Pre-Audit | Read all relevant documentation of the BCMS in order to become acquainted with the processes in the management system and to find out if there are non-conformities in the (mandatory) documentation with regard to ISO 22301. | Base for creating a (customized) audit workplan/checklist in consideration of the Statement of Applicability. | * Interview * Documentation Review | AUD, BCM | ||||||||||||||||||||
13 | 2.3 | Preparing for main audit | Collect and study previous audit findings and possible outstanding issues. * Prepare all relevant documents that will be needed for the realization of the audit. * Create a audit checklist (must be in-depth and based on ISO 22301, following a predefined path and checking for compliance with controls). | (Customized) audit workplan/checklist and an audit plan agreed with management. | * Interview * Documentation Review | AUD, BCM | ||||||||||||||||||||
14 | 2.4 | Planning the main audit | * Plan which departments and/or locations to visit and which ressources are needed. * Ensure the availability of all the resources needed and other logistics that may be required by the auditor. | Detailed workplan with committited ressources. | * Interview * Documentation Review | AUD, BCM | ||||||||||||||||||||
15 | 2.5 | Performing the audit | Perform the audit and try to find adequate evidence to ascertain that the BCMS is compliant with ISO 22301 (further information in the following sheets - ref. check list) * The business continuity policy is still an accurate reflection of the business requirements. * An appropriate risk assessment methodology is being used. * The documented procedures are being followed (i.e. within the scope of the BCMS) and are meeting their desired objectives. * Technical controls are in place, are correctly configured and working as intended. * The residual risks have been assessed correctly and are still acceptable to the management of the company. | Documented audit findings | * Interview * Documentation Review * Site visit | AUD, BCM, LG, RM | ||||||||||||||||||||
16 | 2.6 | Reporting | Summarize all the (non)conformities and write an audit report | Report | AUD | |||||||||||||||||||||
17 | ||||||||||||||||||||||||||
18 | 3.0 | Scope of ICANN’s SSR responsibilities | Review and analyze ICANN's Scope of SSR resonsibilities | Report with recommendations | ||||||||||||||||||||||
19 | 3.1 | ICANN action zone | Review and analyze the documentation and produce recommendations. | Report | * Interview * Documentation Review | AUD, ISM | ||||||||||||||||||||
20 | 3.2 | ICANN influence zone | Review and analyze the documentation and produce recommendations. | Report | * Interview * Documentation Review | AUD, ISM | ||||||||||||||||||||
21 | 3.3 | ICANN coordination zone | Review and analyze the documentation and produce recommendations. | Report | * Interview * Documentation Review | AUD, ISM | ||||||||||||||||||||
22 | ||||||||||||||||||||||||||
23 | 4.0 | ICANN Compliance | ||||||||||||||||||||||||
24 | 4.1 | Registrars | Review and analyze the level of compliance requirements for registrar agreements. | Report with recommendations | * Interview * Documentation Review | AUD, LG | ||||||||||||||||||||
25 | 4.2 | Registries | Review and analyze the level of compliance requirements for registry agreements. | Report with recommendations | * Interview * Documentation Review | AUD, LG | ||||||||||||||||||||
26 | 4.3 | Vetting RO | Review and analyze ICANN's processes around vetting registry operators . | Report with recommendations | * Interview * Documentation Review | AUD, BCM, LG | ||||||||||||||||||||
27 | 4.4 | Vetting EBERO | Review and analyze ICANN's processes around vetting (emergency backend) registry operators. | Report with recommendations | * Interview * Documentation Review | AUD, BCM, LG | ||||||||||||||||||||
28 | 4.5 | Data Escrow Provider | Review and analye ICANN's processes around vetting data escrow provider. | Report with recommendations | * Interview * Documentation Review | AUD, BCM, LG | ||||||||||||||||||||
29 | ||||||||||||||||||||||||||
30 | 5.0 | TBD | ||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |