Ассоциация по сертификации
“РУССКИЙ РЕГИСТР”
8.2.1f (11/16)
QUESTIONNAIRE
on Information Security Management System (ISMS)
(Annex to declaration request for preliminary assessment/certification of ISMS in accordance with
ISO/IEC 27001:2013)
DECLARATION REQUEST Registration №
1
Information on completion
1. Upon receipt of this completed form Russian Register (hereinafter referred to as RR) shall prepare commercial
quotation which includes process description and cost of assessment/certification activity stages.
2. Please send completed form and documents attached in electronic form or by fax to the given address: e-mail:
[email protected], fax: +7 (812) 600-11-69
1. Organization data (duplicate from Declaration request 8.2.1)
Full name
Organization Representative for ISMS:
Full name
Note:
1
To be completed by RR
8.2.1f (11/16)
3. Organizational Structure and Number of Personnel.
Please attach organizational structure of your enterprise.
Address or name of site
Subdivision2
Number of personnel on production sites 3
Site address 4 or name
Administration
Head office
10
Accounting division
2
Financial service
3
2
Security services
8
Of them: Economic security service
2
Of them: Physical security service
2
2
Of them: Information security service
1
1
IT-subdivisions
 50
Of them: Software developers
20
Of them: Corporate information system
administrators
1
1
Of them: Database administrators
1
1
Sales departments (marketing)
5
15
Quality control subdivisions
2
2
 20
 100
Other subdivisions
Total around Organization:
…
 200
4. Technical Characteristics of sites
Total number of desk and mobile
computers
100
Total number of desk and mobile
computers
100
Number of physical servers
 10
Total amount of communication centers
(routers, commutators)
 10
Use of protected data channels (VPN)
Yes
Use of virtual appliance
Yes
Availability of security areas
Availability of guard posts
Availability of protection systems
Including: video monitoring
Including: security (fire) alarm
Including: access control system
Other characteristics
2
Specify the name of subdivision (for large companies) or position title (for small companies). Specify the number of employees, working in
this subdivision, in the next columns.
3
It is acceptable to specify approximate data. If necessary, attach additional sheets.
4
Please delete our example highlighted in blue in your questionnaire.
2
8.2.1f (11/16)
Please specify availability of restricted areas within the frameworks of physical security perimeter for which
additional permission in your Organization may be needed (for example: server room, special-purpose certified
conference room):
5. Software and IT assets used in Organization
Software type
Availabil
ity
System software
Program safeguards:
Crypto gateways
Means of authentication
Means of monitoring and audit
Security scanners
Means of access control
Systems of crypto protection, enciphering and electronic
digital signature
Antivirus programs
Anti-spam programs
Fire wall
Tool software:
Software development tools
Data base management systems (DBMS)
Application software:
Office applications
Corporate information systems
Design and manufacturing systems
Scientific software
Clients for access to internet-services
Multimedia
Other systems
Description of application
Windows Vista
«Infotext»
sNort
IBM (ISS)
Embedded in OS
Dr.Web
Embedded in e-mail client
Cisco ASA
Rational
Oracle
MS
Rational
MatCad
Mozilla, Skype, The Bat, Teleport
xVid
6. Description of ISMS activities
Attach the scheme (of interrelation) of processes in your Organization.
Specify assortment of products and/or services, which is manufactured by your organization within the frameworks
of ISMS distribution.
List the main stages of your Organization’s products or services life cycle within the frameworks of ISMS
distribution (for example: design, production, management, sales, maintenance).
Short summary of kinds of activity/processes/products/services of your organization
Performance assurance of CIS, LAN, software infrastructure, user support
7. Information Structure of Organization
7.1 Please specify international and Russian standards applied in Organization:
a) ISO/IEC 27001:2005
b) STO BR ISBS
c) Ruling Documents of FSTEC (Government technical committee)
d) Ruling Documents of Federal Security Service
e) Federal laws of the Russian federation. For example: FZ-149, FZ-152.
3
8.2.1f (11/16)
f)
Other: ______________________________________________________________
7.2 Please specify names, dates of issue and validity dates of licenses, certificates, permits, declarations,
conclusions, external normative documents regulating information security issues of your Organization:
FSTEC license for technical protection
7.3 Specify the kinds of important information, processed in your Organization: clients’ personal data,
employees’ personal data, secret of state, commercial secret, for official use, etc.
7.4.
Specify whether the organization has records which cannot be provided for review by the audit team
because
they
contain
confidential
or
secret
information________________________________________________________________________________
________________________________________________________________________________________
7.4 Recommendations of companies-manufacturers of software and hardware applied in the Organization
(Microsoft, Oracle, Cisco, etc.)
Microsoft Base Security Analyser
7.5 Describe (if applicable) software (in-house or purchased) used in management process of your
Organization and production (services provision)
Electronic document management system «Documentum»
8. Outsourced processes
5
Specify providers of information services and information security services providers in the table.
Process and provider
Description of an outsourced process
«1C» accounting, «Primus» Ltd.
Support and maintenance of accounting software
Law-inquiry system «Konsultant+»,
«Shlyapa» Ltd.
Support and maintenance of inquiry system
Staff recruitment, «Feya» Ltd.
Personnel recruitment, testing, adaptation and training
9. Additional information
Specify, if attendants of your Organization shall comply with the requirements of occupational health and safety,
industrial safety and use means of personal protection (eg., eye protection, safety shoes, protective headgear):
_____________________________________________________________________________________________
__ ________________________________________________________________________________________
Specify, if attendants of your Organization (eg.: foreign citizens) shall comply with specific requirements, regulating
special conditions for access to physical security perimeter, into protected room or to information, identified as
commercial secret, for official use, etc.
_____________________________________________________________________________________________
_ ___________________________________________________________________________________________
Additional information may be requested for specification of certification procedure.
10. Applicant’s liabilities:
1. Applicant guarantees that information provided in this annex to declaration-request is true.
2. Applicant confirms that he is notified of conditions for RR certification and undertakes to comply with them
(Conditions for certification are located at official RR website: http://rusregister.ru/doc/004.00-105.pdf).
5
Outsourced processes mean processes which potentially impact Organization security.
4
8.2.1f (11/16)
Head of
the Organization
(position)
SEAL
(surname and initials)
(signature)
Date «____»_____________20___
5