|
ISO IEC 27002 2005*
*ISO IEC 27002 2005 was
previously
known as ISO IEC 17799 2005. |
|
This web page will
describe our ISO IEC 27002 2005 (17799) Information We begin with a
table of
contents. It shows how we've organized our For each question,
three answers are possible: YES, NO, and N/A.
Our audit questionnaires
can be used to identify the gaps that exist between |
ISO IEC 27002 (17799)
|
||
| PART | TITLE 38 TABLE OF CONTENTS | PAGE |
| 1 | Audit Profile | 3 |
| 2 | Audit Summary | 4 |
| 3 | Introduction to Audit | 5 |
| 4 | Outline of Audit Process | 6 |
| 5 | Security Policy Management Audit | 14 |
| 6 | Corporate Security Management Audit | 21 |
|
7 |
Organizational Asset Management Audit | < PDF SAMPLE |
| 8 | Human Resource Security Management Audit | < HTML SAMPLE |
| 9 | Physical and Environmental Security Management Audit | < PDF SAMPLE |
| 10 | Communications and Operations Management Audit | 101 |
| 11 | Information Access Control Management Audit | 153 |
| 12 | Information Systems Security Management Audit | 188 |
| 13 | Information Security Incident Management Audit | < PDF SAMPLE |
| 14 | Business Continuity Management Audit | 226 |
| 15 | Compliance Management Audit | 240 |
| 16 | Legal and Contact Information | 256 |
| SEPT 2007 | COPYRIGHT Ó 2007 BY PRAXIOM RESEARCH GROUP LIMITED | VERSION 4.0 |
The following material presents a sample of our audit questionnaires.
| TITLE 38 SAMPLE AUDIT QUESTIONS |
ISO IEC 27002 2005
|
| 8.1 EMPHASIZE SECURITY PRIOR TO EMPLOYMENT |
ANSWERS |
COMMENTS | |||||
| 1 | GOAL | Have you
reduced the risk of theft, fraud, or misuse of facilities by making sure that all prospective employees understand their responsibilities before you hire them? |
YES | NO | N/A | ||
| 2 | GOAL | Have you
reduced the risk of theft, fraud, or misuse of facilities by making sure that all prospective contractors understand their responsibilities before you hire them? |
YES | NO | N/A | ||
| 3 | GOAL | Have you
reduced the risk of theft, fraud,
or misuse of facilities by making sure that all third-party users understand their responsibilities before you allow them to use your facilities? |
YES | NO | N/A | ||
| 4 | GOAL | Have you
reduced the risk of theft, fraud, or misuse of facilities by making sure that all prospective employees are suitable given the roles that they will be asked to carry out? |
YES | NO | N/A | ||
| 5 | GOAL | Have you
reduced the risk of theft, fraud, or misuse of facilities by making sure that all prospective contractors are suitable given the tasks that they will be carrying out? |
YES | NO | N/A | ||
| 6 | GOAL | Have you
reduced the risk of theft, fraud, or misuse of facilities by making sure that all third party users are suitable before you allow them to use your facilities? |
YES | NO | N/A | ||
| 7 | GOAL | Do you use
clear job descriptions to define the security responsibilities that new personnel will be carrying out? |
YES | NO | N/A | ||
| 8 | GOAL | Do you use
employment terms and conditions to specify the security responsibilities that new personnel will be asked to carry out? |
YES | NO | N/A | ||
| 9 | GOAL | Do you
screen all employees before you hire them, especially when they will be asked to perform sensitive jobs? |
YES | NO | N/A | ||
| 10 | GOAL | Do you
screen all contractors before you
hire them, especially when they will be asked to provide sensitive services? |
YES | NO | N/A | ||
| 11 | GOAL | Do you
screen all third-party users, especially when they will be allowed to access sensitive information? |
YES | NO | N/A | ||
| 12 | GOAL | Do you ask
prospective employees to sign agreements that specify what their security roles and responsibilities are? |
YES | NO | N/A | ||
| 13 | GOAL | Do you ask
prospective contractors to sign agreements that specify what their security roles and responsibilities are? |
YES | NO | N/A | ||
| 14 | GOAL | Do you ask
prospective third-party users to sign agreements that specify what their security roles and responsibilities are? |
YES | NO | N/A | ||
| 8.1.1 DEFINE SECURITY ROLES AND RESPONSIBILITIES |
ANSWERS |
COMMENTS | |||||
| 15 | CTRL | Are your
organization’s security roles and responsibilities defined in accordance with your information security policy? |
YES | NO | N/A | ||
| 16 | CTRL | Do you use
your security role and responsibility definitions to implement your security policy? |
YES | NO | N/A | ||
| 17 | CTRL | Have you
implemented your information security policy by expecting prospective employees to perform security roles and responsibilities? |
YES | NO | N/A | ||
| 18 | CTRL | Have you
implemented your organization’s information security policy by expecting prospective contractors to perform security roles and responsibilities? |
YES | NO | N/A | ||
| 19 | CTRL | Have you
implemented your organization’s information security policy by expecting third-party users to perform security roles and responsibilities? |
YES | NO | N/A | ||
| 20 | CTRL | Have you
documented security roles and responsibilities? |
YES | NO | N/A | ||
| 21 | GUIDE | Do your
security roles and responsibilities make it clear that all personnel must implement your organization’s information security policy? |
YES | NO | N/A | ||
| 22 | GUIDE | Do your
security roles and responsibilities make it clear that all behavior must comply with your organization’s information security policy? |
YES | NO | N/A | ||
| 23 | GUIDE | Do your
organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized access? |
YES | NO | N/A | ||
| 24 | GUIDE |
Do your organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized disclosure? |
YES | NO | N/A | ||
| 25 | GUIDE |
Do your organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized modification? |
YES | NO | N/A | ||
| 26 | GUIDE |
Do your organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized destruction? |
YES | NO | N/A | ||
| 27 | GUIDE | Do your
organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized interference? |
YES | NO | N/A | ||
| 28 | GUIDE | Do your
security roles and responsibilities make it clear that all specified security activities and processes must be carried out? |
YES | NO | N/A | ||
| 29 | GUIDE | Do your
security roles and responsibilities make it clear that responsibilities must be assigned to specific people? |
YES | NO | N/A | ||
| 30 | GUIDE | Do your
security roles and responsibilities make it clear that specific people will be held accountable for their actions and inactions? |
YES | NO | N/A | ||
| 31 | GUIDE | Do your
security roles and responsibilities make it clear that security risks must be reported to your organization? |
YES | NO | N/A | ||
| 32 | GUIDE | Do your
security roles and responsibilities make it clear that security events must be reported to your organization? |
YES | NO | N/A | ||
| 33 | GUIDE | Do you
communicate your organization’s security roles and responsibilities to job applicants during the pre-employment process? |
YES | NO | N/A | ||
| 34 | NOTE | Do you
communicate your organization’s security roles and responsibilities to all non-staff members? |
YES | NO | N/A | ||
| 35 | NOTE | Do you use
job descriptions to document and communicate your organization’s security roles and responsibilities? |
YES | NO | N/A | ||
| 8.1.2 VERIFY THE BACKGROUNDS OF NEW PERSONNEL |
ANSWERS |
COMMENTS | |||||
| 36 | CTRL | Do you check
the backgrounds of all candidates for employment before you allow them to access your organization’s information? |
YES | NO | N/A | ||
| 37 | CTRL | Do you check
the backgrounds of contractors before you allow them to access your organization’s information? |
YES | NO | N/A | ||
| 38 | CTRL | Do you check
the backgrounds of third-party users before you allow them to access your organization’s information? |
YES | NO | N/A | ||
| 39 | CTRL | Do your
background checks comply with all relevant laws and regulations? |
YES | NO | N/A | ||
| 40 | CTRL | Do your
background checks comply with all relevant ethical standards? |
YES | NO | N/A | ||
| 41 | CTRL | Do you
perform more rigorous background checks on people who will be accessing sensitive information? |
YES | NO | N/A | ||
| 42 | CTRL | Do you
perform more rigorous background checks when the perceived security risk is greater? |
YES | NO | N/A | ||
| 43 | CTRL | Do your
background checks meet your organization’s business requirements? |
YES | NO | N/A | ||
| 44 | GUIDE | Do your
background checks comply with all relevant privacy legislation? |
YES | NO | N/A | ||
| 45 | GUIDE | Do your
background checks comply with all relevant labor and employment legislation? |
YES | NO | N/A | ||
| 46 | GUIDE | Do your
background checks comply with all relevant personal data protection legislation? |
YES | NO | N/A | ||
| 47 | GUIDE | Do you check
out the applicant’s character references? |
YES | NO | N/A | ||
| 48 | GUIDE | Do you
verify the applicant’s curriculum vitae (résumé)? |
YES | NO | N/A | ||
| 49 | GUIDE | Do you
verify the applicant’s professional qualifications? |
YES | NO | N/A | ||
| 50 | GUIDE | Do you
verify the applicant’s academic qualifications? |
YES | NO | N/A | ||
| 51 | GUIDE | Do you verify the applicant’s personal identify? | YES | NO | N/A | ||
| 52 | GUIDE | Do you carry out credit checks on new personnel? | YES | NO | N/A | ||
| 53 | GUIDE | Do you check
to see if applicants have criminal records? |
YES | NO | N/A | ||
| 54 | GUIDE | Do you
perform more detailed background checks on new hires who will be handling sensitive or confidential information? |
YES | NO | N/A | ||
| 55 | GUIDE | Do you
perform more detailed background checks on people who have been promoted to a position where they will be handling sensitive or confidential information? |
YES | NO | N/A | ||
| 56 | GUIDE | Have you
established procedures to control background checks? |
YES | NO | N/A | ||
| 57 | GUIDE | Do your
background checking procedures define how background checks should be performed? |
YES | NO | N/A | ||
| 58 | GUIDE | Do your
background checking procedures define who is allowed to carry out background checks? |
YES | NO | N/A | ||
| 59 | GUIDE | Do your
background checking procedures define when background checks may be performed? |
YES | NO | N/A | ||
| 60 | GUIDE | Do your
background checking procedures define why background checks should be performed? |
YES | NO | N/A | ||
| 61 | GUIDE | Do you use
contracts to control how personnel agencies screen contractors on behalf of your organization? |
YES | NO | N/A | ||
| 62 | GUIDE | Do your
personnel agency contracts define notification procedures that agencies must follow whenever background checks identify doubts or concerns? |
YES | NO | N/A | ||
| 63 | GUIDE | Do agreements with
third-party users define the notification procedures that must be followed whenever background checks identify doubts or concerns? |
YES | NO | N/A | ||
| 64 | GUIDE | Do your
background checks comply with all relevant information collection and handling legislation? |
YES | NO | N/A | ||
| 65 | GUIDE | Do all
candidates understand that background checks will be performed if legislation requires you to do so? |
YES | NO | N/A | ||
| 8.1.3 USE CONTRACTS TO PROTECT YOUR INFORMATION |
ANSWERS |
COMMENTS | |||||
| 66 | CTRL | Do you use
contractual terms and conditions to specify your organization’s information security responsibilities? |
YES | NO | N/A | ||
| 67 | CTRL | Do you use
contractual terms and conditions to specify your employees’ information security responsibilities? |
YES | NO | N/A | ||
| 68 | CTRL | Do you use
contractual terms and conditions to specify your contractors’ information security responsibilities? |
YES | NO | N/A | ||
| 69 | CTRL | Do you use
contractual terms and conditions to specify third-party users’ information security responsibilities? |
YES | NO | N/A | ||
| 70 | GUIDE | Do your
employment terms and conditions apply your organization’s information security policy? |
YES | NO | N/A | ||
| 71 | GUIDE | Do all new
employees sign confidentiality or nondisclosure agreements before you allow them to access sensitive information? |
YES | NO | N/A | ||
| 72 | GUIDE | Do all new
contractors sign confidentiality or nondisclosure agreements before you allow them to access sensitive information? |
YES | NO | N/A | ||
| 73 | GUIDE | Do all new
third-party users sign confidentiality or nondisclosure agreements before you allow them to use sensitive information? |
YES | NO | N/A | ||
| 74 | GUIDE | Do you use
employment contracts to specify what new employees’ legal rights and responsibilities are? |
YES | NO | N/A | ||
| 75 | GUIDE | Do you use
contractual terms and conditions to specify what new contractors’ legal rights and responsibilities are? |
YES | NO | N/A | ||
| 76 | GUIDE | Do you use
contractual terms and conditions to specify what your new third party users’ legal rights and responsibilities are? |
YES | NO | N/A | ||
| 77 | GUIDE | Do you use
contractual terms and conditions to state how copyright laws must be respected and applied? |
YES | NO | N/A | ||
| 78 | GUIDE | Do you use
contractual terms and conditions to explain how data protection laws must be applied? |
YES | NO | N/A | ||
| 79 | GUIDE | Do you use
employment contracts to state that employees are expected to classify information? |
YES | NO | N/A | ||
| 80 | GUIDE | Do you use
employment contracts to state that employees are expected to handle and help control your organization’s information systems and services? |
YES | NO | N/A | ||
| 81 | GUIDE | Do you use
your contractual terms and conditions to state that contractors are expected to handle and help control your information systems and services? |
YES | NO | N/A | ||
| 82 | GUIDE | Do you use
your contractual terms and conditions to state that third-party users are expected to handle and help control information systems and services? |
YES | NO | N/A | ||
| 83 | GUIDE | Do you use
employment contracts to explain how employees are expected to handle information received from other companies or external parties? |
YES | NO | N/A | ||
| 84 | GUIDE | Do you use
contractual terms and conditions to explain how contractors are expected to handle information received from other companies or external parties? |
YES | NO | N/A | ||
| 85 | GUIDE | Do you use
contractual terms and conditions to explain how third-party users are expected to handle information received from other companies or external parties? |
YES | NO | N/A | ||
| 86 | GUIDE | Do you use
employment contracts to explain how your organization is legally obligated to manage and protect personal information? |
YES | NO | N/A | ||
| 87 | GUIDE | Do you use
employment contracts to explain what employees must do to protect personal information? |
YES | NO | N/A | ||
| 88 | GUIDE | Do you use
contracts to make it clear that personnel must protect your information even when they are working at home or outside of normal working hours? |
YES | NO | N/A | ||
| 89 | GUIDE | Do you use
employment contracts to explain what will be done if an employee disregards your organization’s security requirements? |
YES | NO | N/A | ||
| 90 | GUIDE | Do you use
contracts to explain what will be done if a contractor disregards your security requirements? |
YES | NO | N/A | ||
| 91 | GUIDE | Do you use
contracts to explain what will be done if a third-party user disregards your security requirements? |
YES | NO | N/A | ||
| 92 | GUIDE | Do you use
contractual terms and conditions to define the security restrictions and obligations that control how employees will use your assets and access your information systems and services? |
YES | NO | N/A | ||
| 93 | GUIDE | Do you use
contractual terms and conditions to define the security restrictions and obligations that control how contractors will use your assets and access your information systems and services? |
YES | NO | N/A | ||
| 94 | GUIDE | Do you use
contractual terms and conditions to define the security restrictions and obligations that control how third-party users will use your assets and access your information systems and services? |
YES | NO | N/A | ||
| 95 | GUIDE | Do you use
contractual terms and conditions to ensure that all personnel agree to comply with the information security restrictions and obligations that control how they use your assets and access your information systems and services? |
YES | NO | N/A | ||
| 96 | GUIDE | Do your
security restrictions and obligations continue for a specified period after employment has been terminated? |
YES | NO | N/A | ||
| 97 | GUIDE | Do you use a
code of conduct to describe the ethical obligations and responsibilities that employees, contractors, and third party users must accept? |
YES | NO | N/A | ||
| 98 | GUIDE | Do you use a
code of conduct to describe the data protection obligations and responsibilities that employees, contractors, and third party users must accept? |
YES | NO | N/A | ||
| 99 | GUIDE | Do you use a
code of conduct to describe the confidentiality obligations and responsibilities that employees, contractors, and third party users must accept? |
YES | NO | N/A | ||
| 100 | GUIDE | Do you use a
code of conduct to describe your tools and equipment usage restrictions and expectations? |
YES | NO | N/A | ||
| 101 | GUIDE | Do you use a
code of conduct to describe facility use restrictions and expectations? |
YES | NO | N/A | ||
| 102 | GUIDE | Do you use a
code of conduct to define reputable practices? |
YES | NO | N/A | ||
| Etcetera ... | YES | NO | N/A | ||||
| ORGANIZATION: | SCOPE OF AUDIT: |
| COMPLETED BY: | DATE COMPLETED: |
| REVIEWED BY: | DATE REVIEWED: |
| SEP 2007 | COPYRIGHT Ó PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. | VER 4.0 |
| PART 8 | HUMAN RESOURCE SECURITY MANAGEMENT AUDIT | PAGE 64 |
|
|
|
Now that you understand our approach, please
purchase our:
If you
purchase our ISO IEC 27002 2005
Audit Tool, you'll find
Check our Prices. Place
an Order. |
| Home Page | Our Libraries | A to Z Index | Our Customers |
| How to Order | Our Products | Our Prices | Our Guarantee |
|
PRAXIOM RESEARCH GROUP
LIMITED |
|||
|
Updated on May 18, 2009. On the Web since May 25, 1997. |
|||
Disclaimer
and Limitation of Liability
The
publisher and authors have used their best efforts in designing and
developing this electronic publication. We make no representation or
warranties
with respect to accuracy or completeness of the contents of
this publication and
specifically disclaim any implied warranties or
merchantability or fitness for any
particular purpose and shall in no
event be liable for any loss of profit or any
other commercial damage,
including but not limited to special, incidental,
consequential, or
other damages.
Legal
Restrictions on the Use of this Page
Thank
you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you
keep intact
all copyright notices, you are also welcome to print or make one
copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies, or to
copy and paste
any of our material onto another web site. If you would like
to purchase our
material, please contact our Sales Desk. Our staff would be very
pleased to
take your order or to answer any questions you might have.
Copyright © 2006-2009 by Praxiom Research Group Limited. All Rights Reserved.
