ISO IEC 27002 2005

 SECURITY AUDIT TOOL

 

ISO IEC 27002 2005 is now OBSOLETE. See our NEW ISO IEC 27002 2013 Audit Tool.

This web page will describe our ISO IEC 27002 2005 (17799) Information
Security Audit Tool (Title 38). However, it will not present the entire product.
Instead, it will show you how our information security audit tool is organized
and it will introduce our approach. Once you've examined our audit approach, 
we hope you'll consider purchasing our complete audit tool.

We begin with a table of contents. It shows how we've organized our audit tool.
In order to illustrate our approach, we also provide sample audit questionnaires.
The complete audit tool is 257 pages long and has 11 questionnaires made up
of several hundred audit questions. One questionnaire is provided for each
of the eleven sections (5 to 15) that make up the standard.

For each question, three answers are possible: YES, NO, and N/A.
A YES answer means you comply with the standard, a NO answer means
you don't, and an N/A answer means that the question is not applicable
in your situation. YES answers identify security practices that are already
being followed. They require no further action. In contrast, NO answers point
to security practices that need to be implemented and actions that should be
taken. Each NO answer points to an information security recommendation.
Each NO answer reveals a gap that exists between the ISO 27002 standard
and your practices.

Since our audit questionnaires can be used to identify the gaps that exist
between ISO's security standard and your organization's security practices,
it can also be used to perform a detailed gap analysis. Once you've filled all
the gaps, you can be assured that you've done everything humanly possible
to protect your information assets. If you use our audit tool you will not only
comply with ISO's many security requirements but you will also improve
the overall performance of your information security program.

ISO IEC 27002 2005 (17799)
 INFORMATION SECURITY AUDIT TOOL

PART

TITLE 38 TABLE OF CONTENTS

PAGE

1

Audit Profile

3

2

Audit Summary

4

3

Introduction to Audit

5

4

Outline of Audit Process

6

5

Security Policy Management Audit

14

6

Corporate Security Management Audit

21

7

Organizational Asset Management Audit

< PDF SAMPLE

8

Human Resource Security Management Audit

< HTML SAMPLE

9

Physical and Environmental Security Management Audit

< PDF SAMPLE

10

Communications and Operations Management Audit

101

11

Information Access Control Management Audit

153

12

Information Systems Security Management Audit

188

13

Information Security Incident Management Audit

215

14

Business Continuity Management Audit

226

15

Compliance Management Audit

240

16

Legal and Contact Information

256

SEPT 2007

COPYRIGHT © 2007 BY PRAXIOM RESEARCH GROUP LIMITED 

VERSION 4.0

The following material presents a sample of our audit questionnaires. 

TITLE 38 SAMPLE AUDIT QUESTIONS

ISO IEC 27002 2005 [OBSOLETE]

INFORMATION SECURITY AUDIT TOOL

8. HUMAN RESOURCE SECURITY MANAGEMENT AUDIT

8.1 EMPHASIZE SECURITY PRIOR TO EMPLOYMENT

ANSWERS

COMMENTS

 

1

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
prospective employees understand their
responsibilities before you hire them?

YES

NO

N/A

 

 

2

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
prospective contractors understand their
responsibilities before you hire them?

YES

NO

N/A

 

 

3

GOAL

Have you reduced the risk of theft, fraud, or misuse
of facilities by making sure that all third-party
users understand their responsibilities before 
you allow them to use your facilities?

YES

NO

N/A

 

 

4

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
prospective employees are suitable given the
roles that they will be asked to carry out?

YES

NO

N/A

 

 

5

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
prospective contractors are suitable given
the tasks that they will be carrying out?

YES

NO

N/A

 

 

6

GOAL

Have you reduced the risk of theft, fraud, or
misuse of facilities by making sure that all
third party users are suitable before you
allow them to use your facilities?

YES

NO

N/A

 

 

7

GOAL

Do you use clear job descriptions to
define the security responsibilities that
new personnel will be carrying out?

YES

NO

N/A

 

 

8

GOAL

Do you use employment terms and conditions
to specify the security responsibilities that new
personnel will be asked to carry out?

YES

NO

N/A

 

 

9

GOAL

Do you screen all employees before you hire
them, especially when they will be asked to
perform sensitive jobs?

YES

NO

N/A

 

 

10

GOAL

Do you screen all contractors before you
hire them, especially when they will be asked
to provide sensitive services?

YES

NO

N/A

 

 

11

GOAL

Do you screen all third-party users, especially
when they will be allowed to access sensitive
information?

YES

NO

N/A

 

 

12

GOAL

Do you ask prospective employees to sign
agreements that specify what their security
roles and responsibilities are?

YES

NO

N/A

 

 

13

GOAL

Do you ask prospective contractors to sign
agreements that specify what their security
roles and responsibilities are?

YES

NO

N/A

 

 

14

GOAL

Do you ask prospective third-party users
 to sign agreements that specify what their
security roles and responsibilities are?

YES

NO

N/A

 

 

8.1.1 DEFINE SECURITY ROLES AND RESPONSIBILITIES

ANSWERS

COMMENTS

 

15

CTRL

Are your organization’s security roles and
responsibilities defined in accordance with
your information security policy?

YES

NO

N/A

 

 

16

CTRL

Do you use your security role and responsibility
definitions to implement your security policy?

YES

NO

N/A

 

 

17

CTRL

Have you implemented your information security
policy by expecting prospective employees
 to perform security roles and responsibilities?

YES

NO

N/A

 

 

18

CTRL

Have you implemented your organization’s
information security policy by expecting
prospective contractors to perform security
roles and responsibilities?

YES

NO

N/A

 

 

19

CTRL

Have you implemented your organization’s
information security policy by expecting
third-party users to perform security
roles and responsibilities?

YES

NO

N/A

 

 

20

CTRL

Have you documented security
roles and responsibilities?

YES

NO

N/A

 

 

21

GUIDE

Do your security roles and responsibilities make
it clear that all personnel must implement your
organization’s information security policy?

YES

NO

N/A

 

 

22

GUIDE

Do your security roles and responsibilities make
it clear that all behavior must comply with your
organization’s information security policy?

YES

NO

N/A

 

 

23

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets
must be protected from unauthorized access?

YES

NO

N/A

 

 

24

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets
 must be protected from unauthorized disclosure?

YES

NO

N/A

 

 

25

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets
 must be protected from unauthorized modification?

YES

NO

N/A

 

 

26

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets
 must be protected from unauthorized destruction?

YES

NO

N/A

 

 

27

GUIDE

Do your organization’s security roles and
responsibilities make it clear that all assets must
be protected from unauthorized interference?

YES

NO

N/A

 

 

28

GUIDE

Do your security roles and responsibilities
 make it clear that all specified security activities
and processes must be carried out?

YES

NO

N/A

 

 

29

GUIDE

Do your security roles and responsibilities
make it clear that responsibilities must be
assigned to specific people?

YES

NO

N/A

 

 

30

GUIDE

Do your security roles and responsibilities make it
clear that specific people will be held accountable
for their actions and inactions?

YES

NO

N/A

 

 

31

GUIDE

Do your security roles and responsibilities make
it clear that security risks must be reported to
your organization?

YES

NO

N/A

 

 

32

GUIDE

Do your security roles and responsibilities
make it clear that security events must
be reported to your organization?

YES

NO

N/A

 

 

33

GUIDE

Do you communicate your organization’s security
roles and responsibilities to job applicants during
the pre-employment process?

YES

NO

N/A

 

 

34

NOTE

Do you communicate your organization’s security
roles and responsibilities to all non-staff members?

YES

NO

N/A

 

 

35

NOTE

Do you use job descriptions to document and
communicate your organization’s security
roles and responsibilities?

YES

NO

N/A

 

 

8.1.2 VERIFY THE BACKGROUNDS OF NEW PERSONNEL

ANSWERS

COMMENTS

 

36

CTRL

Do you check the backgrounds of all candidates
 for employment before you allow them to access
your organization’s information?

YES

NO

N/A

 

 

37

CTRL

Do you check the backgrounds of contractors
 before you allow them to access your
organization’s information?

YES

NO

N/A

 

 

38

CTRL

Do you check the backgrounds of third-party
users before you allow them to access your
organization’s information?

YES

NO

N/A

 

 

39

CTRL

Do your background checks comply
with all relevant laws and regulations?

YES

NO

N/A

 

 

40

CTRL

Do your background checks comply
with all relevant ethical standards?

YES

NO

N/A

 

 

41

CTRL

Do you perform more rigorous background
checks on people who will be accessing
sensitive information?

YES

NO

N/A

 

 

42

CTRL

Do you perform more rigorous background checks
when the perceived security risk is greater?

YES

NO

N/A

 

 

43

CTRL

Do your background checks meet your
organization’s business requirements?

YES

NO

N/A

 

 

44

GUIDE

Do your background checks comply
with all relevant privacy legislation?

YES

NO

N/A

 

 

45

GUIDE

Do your background checks comply with all
relevant labor and employment legislation?

YES

NO

N/A

 

 

46

GUIDE

Do your background checks comply with all
relevant personal data protection legislation?

YES

NO

N/A

 

 

47

GUIDE

Do you check out the applicant’s
character references?

YES

NO

N/A

 

 

48

GUIDE

Do you verify the applicant’s
curriculum vitae (résumé)?

YES

NO

N/A

 

 

49

GUIDE

Do you verify the applicant’s
professional qualifications?

YES

NO

N/A

 

 

50

GUIDE

Do you verify the applicant’s
academic qualifications?

YES

NO

N/A

 

 

51

GUIDE

Do you verify the applicant’s personal identify?

YES

NO

N/A

 

 

52

GUIDE

Do you carry out credit checks on new personnel?

YES

NO

N/A

 

 

53

GUIDE

Do you check to see if applicants
have criminal records?

YES

NO

N/A

 

 

54

GUIDE

Do you perform more detailed background
checks on new hires who will be handling
sensitive or confidential information?

YES

NO

N/A

 

 

55

GUIDE

Do you perform more detailed background
checks on people who have been promoted
to a position where they will be handling
sensitive or confidential information?

YES

NO

N/A

 

 

56

GUIDE

Have you established procedures
to control background checks?

YES

NO

N/A

 

 

57

GUIDE

Do your background checking procedures define
how background checks should be performed?

YES

NO

N/A

 

 

58

GUIDE

Do your background checking procedures define
who is allowed to carry out background checks?

YES

NO

N/A

 

 

59

GUIDE

Do your background checking procedures define
when background checks may be performed?

YES

NO

N/A

 

 

60

GUIDE

Do your background checking procedures define
why background checks should be performed?

YES

NO

N/A

 

 

61

GUIDE

Do you use contracts to control how personnel
agencies screen contractors on behalf of your
organization?

YES

NO

N/A

 

 

62

GUIDE

Do your personnel agency contracts define
notification procedures that agencies
must follow whenever background checks
identify doubts or concerns?

YES

NO

N/A

 

 

63

GUIDE

Do agreements with third-party users define
the notification procedures that must be followed
whenever background checks identify doubts or
concerns?

YES

NO

N/A

 

 

64

GUIDE

Do your background checks comply with
all relevant information collection and
handling legislation?

YES

NO

N/A

 

 

65

GUIDE

Do all candidates understand that background
checks will be performed if legislation requires
you to do so?

YES

NO

N/A

 

 

8.1.3 USE CONTRACTS TO PROTECT YOUR INFORMATION

ANSWERS

COMMENTS

 

66

CTRL

Do you use contractual terms and conditions to
specify your organization’s information security
responsibilities?

YES

NO

N/A

 

 

67

CTRL

Do you use contractual terms and conditions
to specify your employees’ information security
responsibilities?

YES

NO

N/A

 

 

68

CTRL

Do you use contractual terms and conditions
to specify your contractors’ information security
responsibilities?

YES

NO

N/A

 

 

69

CTRL

Do you use contractual terms and conditions
to specify third-party users’ information security
responsibilities?

YES

NO

N/A

 

 

70

GUIDE

Do your employment terms and conditions apply
your organization’s information security policy?

YES

NO

N/A

 

 

71

GUIDE

Do all new employees sign confidentiality or
nondisclosure agreements before you allow
them to access sensitive information?

YES

NO

N/A

 

 

72

GUIDE

Do all new contractors sign confidentiality or
nondisclosure agreements before you allow
them to access sensitive information?

YES

NO

N/A

 

 

73

GUIDE

Do all new third-party users sign confidentiality
or nondisclosure agreements before you allow
them to use sensitive information?

YES

NO

N/A

 

 

74

GUIDE

Do you use employment contracts to specify what
new employees’ legal rights and responsibilities are?

YES

NO

N/A

 

 

75

GUIDE

Do you use contractual terms and conditions
to specify what new contractors’ legal rights
and responsibilities are?

YES

NO

N/A

 

 

76

GUIDE

Do you use contractual terms and conditions
to specify what your new third party users’
legal rights and responsibilities are?

YES

NO

N/A

 

 

77

GUIDE

Do you use contractual terms and conditions
to state how copyright laws must be respected
and applied?

YES

NO

N/A

 

 

78

GUIDE

Do you use contractual terms and conditions to
explain how data protection laws must be applied?

YES

NO

N/A

 

 

79

GUIDE

Do you use employment contracts to state that
employees are expected to classify information?

YES

NO

N/A

 

 

80

GUIDE

Do you use employment contracts to state
that employees are expected to handle and
help control your organization’s information
systems and services?

YES

NO

N/A

 

 

81

GUIDE

Do you use your contractual terms and conditions
to state that contractors are expected to handle and
help control your information systems and services?

YES

NO

N/A

 

 

82

GUIDE

Do you use your contractual terms and conditions
to state that third-party users are expected to handle
and help control information systems and services?

YES

NO

N/A

 

 

83

GUIDE

Do you use employment contracts to explain
how employees are expected to handle information
received from other companies or external parties?

YES

NO

N/A

 

 

84

GUIDE

Do you use contractual terms and conditions to
explain how contractors are expected to handle
information received from other companies or
external parties?

YES

NO

N/A

 

 

85

GUIDE

Do you use contractual terms and conditions
to explain how third-party users are expected
to handle information received from other
companies or external parties?

YES

NO

N/A

 

 

86

GUIDE

Do you use employment contracts to explain how
your organization is legally obligated to manage
and protect personal information?

YES

NO

N/A

 

 

87

GUIDE

Do you use employment contracts to explain what
employees must do to protect personal information?

YES

NO

N/A

 

 

88

GUIDE

Do you use contracts to make it clear that personnel
must protect your information even when they are
working at home or outside of normal working hours?

YES

NO

N/A

 

 

89

GUIDE

Do you use employment contracts to explain
what will be done if an employee disregards
your organization’s security requirements?

YES

NO

N/A

 

 

90

GUIDE

Do you use contracts to explain what will be done if
a contractor disregards your security requirements?

YES

NO

N/A

 

 

91

GUIDE

Do you use contracts to explain what will be done if 
a third-party user disregards your security requirements?

YES

NO

N/A

 

 

92

GUIDE

Do you use contractual terms and conditions to define
the security restrictions and obligations that control
how employees will use your assets and access
your information systems and services?

YES

NO

N/A

 

 

93

GUIDE

Do you use contractual terms and conditions to define
the security restrictions and obligations that control
how contractors will use your assets and access
your information systems and services?

YES

NO

N/A

 

 

94

GUIDE

Do you use contractual terms and conditions to define
the security restrictions and obligations that control
how third-party users will use your assets and access
your information systems and services?

YES

NO

N/A

 

 

95

GUIDE

Do you use contractual terms and conditions to
ensure that all personnel agree to comply with the
information security restrictions and obligations that
control how they use your assets and access your
information systems and services?

YES

NO

N/A

 

 

96

GUIDE

Do your security restrictions and obligations
continue for a specified period after employment
has been terminated?

YES

NO

N/A

 

 

97

GUIDE

Do you use a code of conduct to describe the
ethical obligations and responsibilities that
employees, contractors, and third party
users must accept?

YES

NO

N/A

 

 

98

GUIDE

Do you use a code of conduct to describe the
data protection obligations and responsibilities
that employees, contractors, and third party
users must accept?

YES

NO

N/A

 

 

99

GUIDE

Do you use a code of conduct to describe the
confidentiality obligations and responsibilities
that employees, contractors, and third party
users must accept?

YES

NO

N/A

 

 

100

GUIDE

Do you use a code of conduct to describe
your tools and equipment usage restrictions
and expectations?

YES

NO

N/A

 

 

101

GUIDE

Do you use a code of conduct to describe
facility use restrictions and expectations?

YES

NO

N/A

 

 

102

GUIDE

Do you use a code of conduct
to define reputable practices?

YES

NO

N/A

 

 

 

Etcetera ...

YES

NO

N/A

 

 

ORGANIZATION:

SCOPE OF AUDIT:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

SEP 2007

COPYRIGHT © PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

VER 4.0

PART 8

HUMAN RESOURCE SECURITY MANAGEMENT AUDIT

 PAGE 64

RELATED RESOURCES

ISO 27002 2013 Introduction

Overview of ISO IEC 27002 2013

Information Security Control Objectives

ISO IEC 27000 Definitions in Plain English

How to Use the ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27002 2013 Translated into Plain English

ISO IEC 27002 2013 Information Security Audit Tool

Plain English ISO IEC 27002 2013 Security Checklist

Knowledge Information Security Auditors Must Have

OTHER AUDIT TOOLS

Updated on April 29, 2014. First published on November 8, 2004.

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited         780-461-4514         help@praxiom.com

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are, of course, welcome to view our material as often
as you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2004 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited