Audit Question
- How does the organization prove ISO27001-A.6.5 is implemented and operating?
- What evidence shows ownership, review cadence, exceptions, and corrective action?
- Which failed condition would create an audit finding for this control?
Expected Answer
A strong answer should connect ISO27001-A.6.5 to assigned ownership, documented requirements, operating records, review cadence, exceptions, and corrective action. The answer should explain how this control changes risk, not merely assert that a document exists.
Expected Evidence
- ISO27001-A.6.5 Control Card
- A.6.5 Audit Evidence Pack
- People Controls Audit Guide
- A.6.5 Detailed Note
- A.6.5 Audit Checklist
Weaknesses / Gaps
- Evidence proves a document exists but not that the control operated.
- Ownership, review frequency, exception handling, or corrective action is missing.
- The control is not linked to risk treatment, affected assets, or audit scope.
Improved Answer
A defensible answer should cite a recent sample, the responsible owner, the evidence record, and the decision made when the control produced an exception or required follow-up.
- Iso27001
- Iso27002
- Audit
- Audit question
- Annex a
- A6 5
Note Metadata
Aliases: AQ-ISO27001-A.6.5, ISO27001-A.6.5 Audit Question
Source: 04-ISMS-Artifacts/AQ-ISO27001-A.6.5-responsibilities-after-termination-or-change-of-employment.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.