ISO IEC 27002 2005

INFORMATION SECURITY AUDIT TOOL

 

ISO IEC 27002 2005 was previously known as ISO IEC 17799 2005.
However, nothing else has changed. The content is the same.

This web page will describe our ISO IEC 27002 2005 (17799) Information
Security Audit Tool (Title 38).  However, it will not present the entire product.
Instead, it will show you how our plain English Security Audit Tool is
organized and it will introduce our approach. Once you've examined our
audit approach, we hope you'll consider purchasing our complete
ISO IEC 27002 2005 Information Security Audit Tool.

We begin with a table of contents. It shows how we've organized our
Auditing Tool. In order to illustrate our approach, we also provide sample
audit questionnaires. The complete Auditing Tool is 257 pages long and has
11 questionnaires made up of several hundred audit questions. One questionnaire
is provided for each of the eleven sections (5 to 15) that make up the standard.

For each question, three answers are possible: YES, NO, and N/A
A YES answer means you comply with the standard, a NO answer means
you don't, and an N/A answer means that the question is not applicable in 
your situation. YES answers identify security practices that are already being
followed. They require no further action. In contrast, NO answers point to security
practices that need to be implemented and actions that should be taken. Each
NO answer points to an information security recommendation. Each NO answer
reveals a gap that exists between the ISO 27002 standard and your practices.

Our audit questionnaires can be used to identify the gaps that exist between
ISO's security standard and your organization's security practices. As a result,
our audit tool can also be used to perform a very detailed gap analysis. Once
you've filled all the gaps, you can be assured that you've done everything
humanly possible to protect your information assets.  If you use our
Information Security Audit Tool you will not only comply with ISO's
many security requirements but you will also improve the overall
performance of your information security program.

Our Information Security Audit Tool is easy to understand and ready to use.

ISO IEC 27002 (17799)
 INFORMATION SECURITY AUDIT TOOL

PART

TITLE 38 TABLE OF CONTENTS

PAGE

1

Audit Profile

3

2

Audit Summary

4

3

Introduction to Audit

5

4

Outline of Audit Process

6

5

Security Policy Management Audit

14

6

Corporate Security Management Audit

21

7

Organizational Asset Management Audit

< PDF SAMPLE

8

Human Resource Security Management Audit

< HTML SAMPLE

9

Physical and Environmental Security Management Audit

< PDF SAMPLE

10

Communications and Operations Management Audit

101

11

Information Access Control Management Audit

153

12

Information Systems Security Management Audit

188

13

Information Security Incident Management Audit

215

14

Business Continuity Management Audit

226

15

Compliance Management Audit

240

16

Legal and Contact Information

256

SEPT 2007

COPYRIGHT © 2007 BY PRAXIOM RESEARCH GROUP LIMITED 

VERSION 4.0

The following material presents a sample of our audit questionnaires. 

TITLE 38 SAMPLE AUDIT QUESTIONS

ISO IEC 27002 2005

INFORMATION SECURITY AUDIT TOOL

8. HUMAN RESOURCE SECURITY MANAGEMENT AUDIT

8.1 EMPHASIZE SECURITY PRIOR TO EMPLOYMENT

ANSWERS

COMMENTS

 

1

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
prospective employees understand their
responsibilities before you hire them?

YES

NO

N/A

 

 

2

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
prospective contractors understand their
responsibilities before you hire them?

YES

NO

N/A

 

 

3

GOAL

Have you reduced the risk of theft, fraud, or misuse
of facilities by making sure that all third-party
users understand their responsibilities before 
you allow them to use your facilities?

YES

NO

N/A

 

 

4

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
prospective employees are suitable given the
roles that they will be asked to carry out?

YES

NO

N/A

 

 

5

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
prospective contractors are suitable given
the tasks that they will be carrying out?

YES

NO

N/A

 

 

6

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
third party users are suitable before you
allow them to use your facilities?

YES

NO

N/A

 

 

7

GOAL

Do you use clear job descriptions to
define the security responsibilities that
new personnel will be carrying out?

YES

NO

N/A

 

 

8

GOAL

Do you use employment terms and conditions
to specify the security responsibilities that new
personnel will be asked to carry out?

YES

NO

N/A

 

 

9

GOAL

Do you screen all employees before you hire
them, especially when they will be asked to
perform sensitive jobs?

YES

NO

N/A

 

 

10

GOAL

Do you screen all contractors before you
hire them, especially when they will be asked
to provide sensitive services?

YES

NO

N/A

 

 

11

GOAL

Do you screen all third-party users, especially
when they will be allowed to access sensitive
information?

YES

NO

N/A

 

 

12

GOAL

Do you ask prospective employees to sign
agreements that specify what their security
roles and responsibilities are?

YES

NO

N/A

 

 

13

GOAL

Do you ask prospective contractors to sign
agreements that specify what their security
roles and responsibilities are?

YES

NO

N/A

 

 

14

GOAL

Do you ask prospective third-party users
 to sign agreements that specify what their
security roles and responsibilities are?

YES

NO

N/A

 

 

8.1.1 DEFINE SECURITY ROLES AND RESPONSIBILITIES

ANSWERS

COMMENTS

 

15

CTRL

Are your organization’s security roles and
responsibilities defined in accordance with
your information security policy?

YES

NO

N/A

 

 

16

CTRL

Do you use your security role and responsibility
definitions to implement your security policy?

YES

NO

N/A

 

 

17

CTRL

Have you implemented your information security
policy by expecting prospective employees
 to perform security roles and responsibilities?

YES

NO

N/A

 

 

18

CTRL

Have you implemented your organization’s
information security policy by expecting
prospective contractors to perform security
roles and responsibilities?

YES

NO

N/A

 

 

19

CTRL

Have you implemented your organization’s
information security policy by expecting
third-party users to perform security
roles and responsibilities?

YES

NO

N/A

 

 

20

CTRL

Have you documented security
roles and responsibilities?

YES

NO

N/A

 

 

21

GUIDE

Do your security roles and responsibilities make
it clear that all personnel must implement your
organization’s information security policy?

YES

NO

N/A

 

 

22

GUIDE

Do your security roles and responsibilities make
it clear that all behavior must comply with your
organization’s information security policy?

YES

NO

N/A

 

 

23

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets
must be protected from unauthorized access?

YES

NO

N/A

 

 

24

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets
 must be protected from unauthorized disclosure?

YES

NO

N/A

 

 

25

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets
 must be protected from unauthorized modification?

YES

NO

N/A

 

 

26

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets
 must be protected from unauthorized destruction?

YES

NO

N/A

 

 

27

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets must
be protected from unauthorized interference?

YES

NO

N/A

 

 

28

GUIDE

Do your security roles and responsibilities
 make it clear that all specified security activities
and processes must be carried out?

YES

NO

N/A

 

 

29

GUIDE

Do your security roles and responsibilities
make it clear that responsibilities must be
assigned to specific people?

YES

NO

N/A

 

 

30

GUIDE

Do your security roles and responsibilities make it
clear that specific people will be held accountable
for their actions and inactions?

YES

NO

N/A

 

 

31

GUIDE

Do your security roles and responsibilities make
it clear that security risks must be reported to
your organization?

YES

NO

N/A

 

 

32

GUIDE

Do your security roles and responsibilities
make it clear that security events must
be reported to your organization?

YES

NO

N/A

 

 

33

GUIDE

Do you communicate your organization’s security
roles and responsibilities to job applicants during
the pre-employment process?

YES

NO

N/A

 

 

34

NOTE

Do you communicate your organization’s security
roles and responsibilities to all non-staff members?

YES

NO

N/A

 

 

35

NOTE

Do you use job descriptions to document and
communicate your organization’s security
roles and responsibilities?

YES

NO

N/A

 

 

8.1.2 VERIFY THE BACKGROUNDS OF NEW PERSONNEL

ANSWERS

COMMENTS

 

36

CTRL

Do you check the backgrounds of all candidates
 for employment before you allow them to access
your organization’s information?

YES

NO

N/A

 

 

37

CTRL

Do you check the backgrounds of contractors
 before you allow them to access your
organization’s information?

YES

NO

N/A

 

 

38

CTRL

Do you check the backgrounds of third-party
users before you allow them to access your
organization’s information?

YES

NO

N/A

 

 

39

CTRL

Do your background checks comply
with all relevant laws and regulations?

YES

NO

N/A

 

 

40

CTRL

Do your background checks comply
with all relevant ethical standards?

YES

NO

N/A

 

 

41

CTRL

Do you perform more rigorous background
checks on people who will be accessing
sensitive information?

YES

NO

N/A

 

 

42

CTRL

Do you perform more rigorous background checks
when the perceived security risk is greater?

YES

NO

N/A

 

 

43

CTRL

Do your background checks meet your
organization’s business requirements?

YES

NO

N/A

 

 

44

GUIDE

Do your background checks comply
with all relevant privacy legislation?

YES

NO

N/A

 

 

45

GUIDE

Do your background checks comply with all
relevant labor and employment legislation?

YES

NO

N/A

 

 

46

GUIDE

Do your background checks comply with all
relevant personal data protection legislation?

YES

NO

N/A

 

 

47

GUIDE

Do you check out the applicant’s
character references?

YES

NO

N/A

 

 

48

GUIDE

Do you verify the applicant’s
curriculum vitae (résumé)?

YES

NO

N/A

 

 

49

GUIDE

Do you verify the applicant’s
professional qualifications?

YES

NO

N/A

 

 

50

GUIDE

Do you verify the applicant’s
academic qualifications?

YES

NO

N/A

 

 

51

GUIDE

Do you verify the applicant’s personal identify?

YES

NO

N/A

 

 

52

GUIDE

Do you carry out credit checks on new personnel?

YES

NO

N/A

 

 

53

GUIDE

Do you check to see if applicants
have criminal records?

YES

NO

N/A

 

 

54

GUIDE

Do you perform more detailed background
checks on new hires who will be handling
sensitive or confidential information?

YES

NO

N/A

 

 

55

GUIDE

Do you perform more detailed background
checks on people who have been promoted
to a position where they will be handling
sensitive or confidential information?

YES

NO

N/A

 

 

56

GUIDE

Have you established procedures
to control background checks?

YES

NO

N/A

 

 

57

GUIDE

Do your background checking procedures define
how background checks should be performed?

YES

NO

N/A

 

 

58

GUIDE

Do your background checking procedures define
who is allowed to carry out background checks?

YES

NO

N/A

 

 

59

GUIDE

Do your background checking procedures define
when background checks may be performed?

YES

NO

N/A

 

 

60

GUIDE

Do your background checking procedures define
why background checks should be performed?

YES

NO

N/A

 

 

61

GUIDE

Do you use contracts to control how personnel
agencies screen contractors on behalf of your
organization?

YES

NO

N/A

 

 

62

GUIDE

Do your personnel agency contracts define
notification procedures that agencies
must follow whenever background checks
identify doubts or concerns?

YES

NO

N/A

 

 

63

GUIDE

Do agreements with third-party users define
the notification procedures that must be followed
whenever background checks identify doubts or
concerns?

YES

NO

N/A

 

 

64

GUIDE

Do your background checks comply with
all relevant information collection and
handling legislation?

YES

NO

N/A

 

 

65

GUIDE

Do all candidates understand that background
checks will be performed if legislation requires
you to do so?

YES

NO

N/A

 

 

8.1.3 USE CONTRACTS TO PROTECT YOUR INFORMATION

ANSWERS

COMMENTS

 

66

CTRL

Do you use contractual terms and conditions to
specify your organization’s information security
responsibilities?

YES

NO

N/A

 

 

67

CTRL

Do you use contractual terms and conditions
to specify your employees’ information security
responsibilities?

YES

NO

N/A

 

 

68

CTRL

Do you use contractual terms and conditions
to specify your contractors’ information security
responsibilities?

YES

NO

N/A

 

 

69

CTRL

Do you use contractual terms and conditions
to specify third-party users’ information security
responsibilities?

YES

NO

N/A

 

 

70

GUIDE

Do your employment terms and conditions apply
your organization’s information security policy?

YES

NO

N/A

 

 

71

GUIDE

Do all new employees sign confidentiality or
nondisclosure agreements before you allow
them to access sensitive information?

YES

NO

N/A

 

 

72

GUIDE

Do all new contractors sign confidentiality or
nondisclosure agreements before you allow
them to access sensitive information?

YES

NO

N/A

 

 

73

GUIDE

Do all new third-party users sign confidentiality
or nondisclosure agreements before you allow
them to use sensitive information?

YES

NO

N/A

 

 

74

GUIDE

Do you use employment contracts to specify what
new employees’ legal rights and responsibilities are?

YES

NO

N/A

 

 

75

GUIDE

Do you use contractual terms and conditions
to specify what new contractors’ legal rights
and responsibilities are?

YES

NO

N/A

 

 

76

GUIDE

Do you use contractual terms and conditions
to specify what your new third party users’
legal rights and responsibilities are?

YES

NO

N/A

 

 

77

GUIDE

Do you use contractual terms and conditions
to state how copyright laws must be respected
and applied?

YES

NO

N/A

 

 

78

GUIDE

Do you use contractual terms and conditions to
explain how data protection laws must be applied?

YES

NO

N/A

 

 

79

GUIDE

Do you use employment contracts to state that
employees are expected to classify information?

YES

NO

N/A

 

 

80

GUIDE

Do you use employment contracts to state
that employees are expected to handle and
help control your organization’s information
systems and services?

YES

NO

N/A

 

 

81

GUIDE

Do you use your contractual terms and conditions
to state that contractors are expected to handle and
help control your information systems and services?

YES

NO

N/A

 

 

82

GUIDE

Do you use your contractual terms and conditions
to state that third-party users are expected to handle
and help control information systems and services?

YES

NO

N/A

 

 

83

GUIDE

Do you use employment contracts to explain
how employees are expected to handle information
received from other companies or external parties?

YES

NO

N/A

 

 

84

GUIDE

Do you use contractual terms and conditions to
explain how contractors are expected to handle
information received from other companies or
external parties?

YES

NO

N/A

 

 

85

GUIDE

Do you use contractual terms and conditions
to explain how third-party users are expected
to handle information received from other
companies or external parties?

YES

NO

N/A

 

 

86

GUIDE

Do you use employment contracts to explain how
your organization is legally obligated to manage
and protect personal information?

YES

NO

N/A

 

 

87

GUIDE

Do you use employment contracts to explain what
employees must do to protect personal information?

YES

NO

N/A

 

 

88

GUIDE

Do you use contracts to make it clear that personnel
must protect your information even when they are
working at home or outside of normal working hours?

YES

NO

N/A

 

 

89

GUIDE

Do you use employment contracts to explain
what will be done if an employee disregards
your organization’s security requirements?

YES

NO

N/A

 

 

90

GUIDE

Do you use contracts to explain what will be done if
a contractor disregards your security requirements?

YES

NO

N/A

 

 

91

GUIDE

Do you use contracts to explain what will be done if 
a third-party user disregards your security requirements?

YES

NO

N/A

 

 

92

GUIDE

Do you use contractual terms and conditions to define
the security restrictions and obligations that control
how employees will use your assets and access
your information systems and services?

YES

NO

N/A

 

 

93

GUIDE

Do you use contractual terms and conditions to define
the security restrictions and obligations that control
how contractors will use your assets and access
your information systems and services?

YES

NO

N/A

 

 

94

GUIDE

Do you use contractual terms and conditions to define
the security restrictions and obligations that control
how third-party users will use your assets and access
your information systems and services?

YES

NO

N/A

 

 

95

GUIDE

Do you use contractual terms and conditions to
ensure that all personnel agree to comply with the
information security restrictions and obligations that
control how they use your assets and access your
information systems and services?

YES

NO

N/A

 

 

96

GUIDE

Do your security restrictions and obligations
continue for a specified period after employment
has been terminated?

YES

NO

N/A

 

 

97

GUIDE

Do you use a code of conduct to describe the
ethical obligations and responsibilities that
employees, contractors, and third party
users must accept?

YES

NO

N/A

 

 

98

GUIDE

Do you use a code of conduct to describe the
data protection obligations and responsibilities
that employees, contractors, and third party
users must accept?

YES

NO

N/A

 

 

99

GUIDE

Do you use a code of conduct to describe the
confidentiality obligations and responsibilities
that employees, contractors, and third party
users must accept?

YES

NO

N/A

 

 

100

GUIDE

Do you use a code of conduct to describe
your tools and equipment usage restrictions
and expectations?

YES

NO

N/A

 

 

101

GUIDE

Do you use a code of conduct to describe
facility use restrictions and expectations?

YES

NO

N/A

 

 

102

GUIDE

Do you use a code of conduct
to define reputable practices?

YES

NO

N/A

 

 

 

Etcetera ...

YES

NO

N/A

 

 

ORGANIZATION:

SCOPE OF AUDIT:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

SEP 2007

COPYRIGHT © PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

VER 4.0

PART 8

HUMAN RESOURCE SECURITY MANAGEMENT AUDIT

 PAGE 64
Attention

Now that you understand our approach, please purchase our:
 Title 38: ISO IEC 27002 2005 Information Security Audit Tool.

If you purchase our ISO IEC 27002 2005 Audit Tool, you'll find
that it's integrated, detailed, exhaustive, and easy to understand.
You'll find that we've worked hard to create a high quality
product. In fact, we guarantee the quality!

Check our PricesPlace an Order.
Check our License Agreement.

OTHER ISO 27002 PAGES

Introduction to ISO 27002 (17799)

Overview of ISO 27002 (17799) Information Security

Plain English Information Security Management Definitions

ISO 27002 Information Security Translated into Plain English

Information Security Management Control Objectives

RELATED MANAGEMENT LIBRARIES

ISO 27001 2005 Information Security Management Library

ISO 27002 (17799) Information Security Management Library

ISO 28000 Supply Chain Security Management Library

ISO 90003 Software Quality Management Library

OTHER AUDIT PROGRAMS

ISO 28000 Supply Chain Security Audit Tool

ISO 9001 Quality Management Audit Program

ISO 9004 2009 Quality Compliance Audit Tool

AS9100:2009 Aerospace Quality Audit Program

ISO 13485 Quality Audit Program for Medical Devices

ISO 22000 2005 Food Safety Management Audit Program

ISO 14001 2004 Environmental Management Audit Program

OHSAS 18001 2007 Occupational Health and Safety Audit Program

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

PRAXIOM RESEARCH GROUP LIMITED
9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada
Telephone: 780-461-4514 info@praxiom.com

Updated on December 26, 2011. First published on November 8, 2004.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
  developing this electronic publication. We make no representation or warranties
  with respect to accuracy or completeness of the contents of this publication and
  specifically disclaim any implied warranties or merchantability or fitness for any
  particular purpose and shall in no event be liable for any loss of profit or any
  other commercial damage, including but not limited to special, incidental,
  consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2004 - 2011 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited