Related control
A.5.1 Policies for Information Security
| Audit test | Evidence to request | Pass criteria |
|---|---|---|
| Confirm top-level policy exists | Information Security Policy | Current, approved, controlled |
| Confirm management approval | Signature, approval workflow, committee minutes | Approved by appropriate senior management |
| Confirm policy ownership | Policy metadata, RACI, role description | Named owner responsible for maintenance |
| Confirm version control | Version history, change log | Current version identifiable and controlled |
| Confirm publication | Intranet, GRC tool, handbook | Relevant users can access it |
| Confirm communication | Email, LMS, awareness records | Relevant users were informed |
| Confirm acknowledgement | Attestation records, onboarding records | Required users acknowledged policy |
| Confirm external communication | Contracts, supplier packs, redacted policy | Relevant external parties received requirements |
| Confirm topic-specific policies | Policy register, linked documents | Supporting policies exist and are linked |
| Confirm review schedule | Policy review calendar | Review frequency defined and appropriate |
| Confirm completed reviews | Review minutes, change records | Reviews happened as planned |
| Confirm triggered review process | Incident/change/risk review procedure | Significant changes trigger policy review |
| Confirm exception handling | Exception procedure/register | Exceptions are approved and risk-assessed |
| Confirm staff awareness | Interviews/sample testing | Personnel know policy exists and understand key duties |
- Iso27001
- ISO27002
- Template
- Audit
- A5 1
Note Metadata
Aliases: A.5.1 Audit Checklist
Source: 90 Templates/A.5.1 Audit Checklist.md