Audit : Audit Scope:

Auditor(s) : Date of Audit:

Recommended Questions Audit Findings

4. Context of the Organisation

4.1 Understanding the organisation and its context
What are the internal and external issues that are
1
relevant to the ISMS?

How do they affetc its ability to achieve its intended

2
outcome?

4.2 Understanding the needs and expectations of interested parties

1 Who are the interested parties?

2 What are their requirements?

3 How have their requirements been established?

4.3 Determining the scope of the information security management system

1 What is the scope of the ISMS?

2 How is it defined?

3 Is it reasonable?

Does it consider the relevant issues and

4
requirements?

Does it consider how the organisation interacts with

5
other organisations?

6 Is the scope documented?

4.4 Information Security Management System

1 How established is the ISMS?

2 How long has it been running for?

How much evidence has been collected so far e.g.

3
Records ?

5. Leadership
5.1 Leadership and Commitment
Who is defined as top management within the scope
1
of the ISMS?
 How does top management demonstrate leadership
2
and commitment?

Are information security policies and obejectives

3
established?

4 Are enough resources allocated to the ISMS?

How does top management communicate with

5
everyone involved in the ISMS?

5.2 Policy
1 Can I review the information security policy?

2 Is it appropriate and does it cover required areas?

3 does it include the required commitments?

How has it been communicated and distributed and

4
to whom?

5.3 Organizational roles, responsiblities and authorities

1 What are the roles within the ISMS?

Does everyone understand what their

2
responsibilities and authorities are ?

Who has the responsibility and authority for

3
conformance and reporting ?

6. Planning
6.1 Actions to address risks and opportunities
1 is there a documented risk assessment process?

does it address risk acceptance criteria and when

2
assessments should be done?

3 What is the most recent risk assessment?

Does it identify a reasonable set of risks and specify

4
owners?

Are the likelihood and impact of risks asseessed

5
apppropriately and risk levels determined?

6 How are the risks then evaluated and priortized?

7 Is there a documented risk assessment process?

8 Review the most recent risk treatment plan.

9 Are reasonable risk treatment options selected?

 Are the controls chosen to treat the risks stated
10
clearly?

Has an SOA been produced and are inclusions and

11
exclusions justifiable?

Has the risk treatment plan been signed off by the

12
risk owners?

6.2 Information security obejectives and planning to achieve them

Are there documented information security
1
objectives ?

Do the objectives comply with section 6.2 (SMART

2
goals)?

3 Is there a plan to achieve the objectives?

Are all the elements in this clause included in the

4
objectives and

7. Support
7.1 Resources
How are the resources needed for the ISMS
1
determined?

2 Are the required resources provided ?

7.2 Competence
1 Have the necessary competences been determined?

How has the competence of the people involved in

2
the ISMS been established?

What actions have been identified to acquire the

3
necessary competence?

Have they been completed and is there evidence of

4
this?

7.3 Awareness

What approach has been tken to providing

awareness of the information security policy ,
1
contributio to the ISMS and implications of not
conforming

2 Has everyone been covered?

7.4 Communication
How has the need for communication been
1
established?

2 Is the approach to communication documented ?

3 Does the approah cover all areas in 7.4 ( from a to e)

7.5 Documented Information
Is all the documented information required by the
1
standard in place?

Is the level of the other documentation reasonable

2
for the size of the ISMS?

Are the appropriate documentation standards in

3
place e.g. idenftification, format?

4 Are the standards applied in a uniform way?

Are appropriate controls in place to meet 7.5.3 ( a to

5
f)

6 How are documents of external origin handled?

8. Operation
8.1 Operational planning and control
1 What plans are available to review?

Do they cover requirements, objective3s and risk

2
treatments?

what planned changes have taken place recently and

3
how were they controlled?

4 What processes are outsourced?

5 How are they controlled?

8.2 Information Securtiy Risk Assessment

1 What are the planned intervals for risk assessment?

What significant chagnes have happe3dn that

2
prompted a risk assessment to be carried out?

8.3 Information Security Risk Treatment

1 What is the status of the Risk Treatment Plan(s)?

2 How is updated?

3 How is the success of the treatment judged?

9. Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
How is it determined what should be monitored and
1
measured ?
 2 Review evidence of monitoring and measurement?

What procedures are in place to cover monitoring

3
and measurement in different areas?

4 How are the results reported?

9.2 Internal Audit

1 How oftern are internal audits conducted?

2 Who carries them out?

3 Are the auditors objective and impartial?

4 Review the most recent internal audit report.

Have any nonconformities resulting from previous

5
audits been addressed ?

Does the audit programme cover the complete scope

6
of the ISMS?

9.3 Management Review

1 How often are management reviews conducted?

2 Who attends them ?

3 Are they minuted?

4 Review the results of the most recent one.

Are all the areas in 9,3 ( a tof) covered at

5
management reviews?

Does the management review represent a reasonable

6
assessment of the health of the ISMS?

10. Improvement
10.1 Non conformity and corrective action
1 How are nonconformities identified?

2 How are they identified?

3 Review the records of a recent nonconformity?

Was appropriate action taken to correct it and

4
address the underlying causes?
 Was appropriate action taken to correct it and
4
address the underlying causes?

Was the effectiveness of the corrective action

5
reviewed?

10.2 Continual Improvement

1 How are improvements identified?

2 Are they recorded?

What evidence of continual improvement can be

3
demonstrated?

Annex A Reference controls - all may not be applicable

A5 Information Securtiy Policies
5.1. Management direction for information security

1 Review the set of exisiting and relevant policies

2 Are they all approved ?

3 Who have they been communicated to?

4 When was the last time they were reviewed?

A6 Organization of Information Security

6.1. Internal organization
Where is the segregation of duties used within the
1
organization?

Which relevant authorities and special interest

2
groups is contact maintained with and how?

How was information security addressed in the most

3
recent project?
6.2. Mobile devices and teleworking

4 Is there a mobile device policy ?

What security measures are used to manage mobile

5
device risks?

6 Is there a Work from Home (WFH) Policy ?

Review the security measures in place at specific

7
WFH sites?

A7 Human Resource Security

7.1. Prior to employment
What background verification checks are carried out
1
on potential employees?
 How is information security covered in
2
employement contracts?

7.2. During employment

How are employees and contractors made aware of ,

3
and trained in , information security areas?

4 Is there a formal disciplinary process?

What happens when an employee leaves with

5
respect to information security ?

A8 Asset Management
8.1. Responsibilities for assets

1 Is ther an asset inventory ?

Are all assests in the inventory allocated to

2
respective owners?

Are rules for the acceptable use of assests identified,

3
documented and implemented?

4 What happens to assets when an employee leaves?

8.2. Information classification

Is there an information classification scheme in
5
place?

How is information labelled within its

6
classification?

What procedures are in place for handling high

7
value assets?

How is removable media managed, including

8
disposal and transport?

A9 Access Control
9.1. Responsibilities for assets

1 Is there an access control policy ?

How is user access given and how are the levels of

2
access determined for each user?

9.2. Responsibilities for assets

Is there a formal registration of access and

3
authorisation and then the removal of the same ?

4 Is there a formal user access provisioning process?

5 How are priviliged access rights controlled?

9.3. User responsibilities

 Is there a formal management process to allocate
6
secret authentication information ?

9.4. System and application access control

7 how are access rights reviewed and how often?

What happens to access rights when someone moves

8
or leaves?

How is the access control policy implemented

9
within applications e.g. logons , passwords ?

10 How is the use of utility programs controlled ?

11 Is access to program source code restricted?

A10 Cryptography
10.1. Cryptographic controls
Is there a policy on the use of cryptographic
1
controls?

2 How has it been implemented?

3 Is there a policy covering cryptographic keys?

4 How has it been implemented?

A11 Physical and Environmental Security

11.1. Secure areas
Have the physical security perimeter and secure
1
areas been defined?

2 What physical entry controls are in place?

3 What physical entry controls are in place?

4 Are there procedures for working in secure areas?

What controls are in place over delivery and loading

5
areas?
11.2. Equipment

6 How is decided where to site equipment?

7 What is the backup for supporting utilities failure?

Cabling review; prioritising the most important as

8
you go

9 Review equipment maintenance logs

 9 Review equipment maintenance logs

What is the procedure for taking assets offsite and

10
how are they protected whilst offsite?

How is storage media disposed of ? How secure is

11
the disposal method?

12 How is unattended equipment protected?

Are desks and screens clear of sensitive information

13
and storage media?

A 12 Operations Security
12.1 Operational procedures and responsibilities
To what extent are operating procedures
1
documented?

2 How are changes controlled?

3 How is capacity managed?

Are development, testing and operational

4
environments separated ?
12.2. Protection from malware
Are there malware threat prevention controls in
5
place?

What are the levels of awareness amongst users of

6
the threat from malware?

12.3. Backup

7 What is the backup policy and process ?

Are events logs collected and protected from

8
tampering?
12.4. Logging and monitoring
Are system administrator and operator activities
9
logged and reviewed?

How are the clocks of the various infrastructure

10
components sychronized?
12.5. Control of operational software

How is software installation on operational systems

11
controlled, both at a system and user level?

12.6. Technical vulnerability management

How are technical vulnerabilities identified and
12
addressed?

How are audits carried out without disrupting

13
business processes?

A 13 Communications Security
13.1. Network security management

1 How is network security managed and controlled ?

Are network services agreements in place for all

2
relevant services?

Do the cover security mechanisms, service levels,

3
and management requirements?

4 Is network segration used and if so how?

13.2. Information transfer

5 What information transfers take place?

Are there policies, procedures and controls in place

6
to protect them?

7 Are controls documetned in formal agreements?

8 How is electronic messaging protected?

Are theres non- disclosure agreements in place with

9
key parties?

A 14 System Acquisition, development and maintainence

14.1. Security requirements of information systems

Are information security requirements included in

1
specifications for new or changed systems?

How is information passing over public networks

2
e.g. the internet , protected?

For each type of application service, how are

3
transactions protected from known threats?

How is software developed securely within the

4
organization ?

Is change control in place within the development

5
lifecycle?

What process is performed when operating

6
platforms are changed?

How much change is made to software packages

7
(commercial off-the-shelf software)?

What principles are used when engineering secure

8
systems?

9 How are development environments protected?

How do you monitor outsourced software

10
development?

To what extent is system security tested during

11
development?
 To what extent is system security tested during
11
development?

Review records of acceptance testing for most

12
recent system implementation

A 15 Supplier Relationships

How are the organization's security requirements

1
communicated and agreed with supplier/vendors?

To what extent are the requirements documented in

2
supplier agreements ?

Do Agreements with suppliers require them to

3
address security risks?

How is supplier service delivery monitored ,

4
reviewed and audited?

How many changes made by suppliers are managed

5
and risk-assessed?

A 16 Information Security Incident Management

1 Is there an information security incident procedure ?

Are responsibilities for incident management

2
allocated and understood?

How are information security events and

3
weaknesses reported?

How is the decision about whether to classify an

4
event as an incident made?

Review how some of the most recent incidents were

5
responded to .

6 How is knowledge gained from incidents re-used?

are procedures in place to ensure that potential

7
evidence is protected?

A 17 Information Security aspects of Business Continuity Management

Are information security requirements in the event
1
of a disaster understsood?

Do Business Continuity procedures provide fro the

2
required level of information security ?

3 Are the procedures tested regularly?

Are availability requirements identified and is

4
sufficient redundency in place to neeed them ?

A 18 Compliance
18.1. Compliance with legal and contractual requirements

Is it clear what legislation and regulation applies to

1
the organization and its activities?
 2 Are contractual obligations understood?

3 Is an approach to meet these requirements in place?

Are procedures implemented to ensure compliance

4
with intellectual property rights?

Are records protected in line with the understood

5
requirements?

Is privacy and protection of personally identifiable

6
information addressed adequately ?

Is the organization's use of cryptographic controls

7
legal and compliant with relevant agreements?

18.2. Independent review of information security

How often are independent reviews of information
8
security carried out?

How often do managers check that their areas are

9 compliant with information security policies and
standards?

Review the most recent report on compliance of

10 information systems with agreed information
security policies.
Evidence Reviewed
https://isoconsultantkuwait.com/2019/08/04/2432/
m/2019/08/04/2432/