UnixTime

Research Note

Template - A.5.1 Audit Checklist

Research note.

On this page

A.5.1 Policies for Information Security

Audit test Evidence to request Pass criteria
Confirm top-level policy exists Information Security Policy Current, approved, controlled
Confirm management approval Signature, approval workflow, committee minutes Approved by appropriate senior management
Confirm policy ownership Policy metadata, RACI, role description Named owner responsible for maintenance
Confirm version control Version history, change log Current version identifiable and controlled
Confirm publication Intranet, GRC tool, handbook Relevant users can access it
Confirm communication Email, LMS, awareness records Relevant users were informed
Confirm acknowledgement Attestation records, onboarding records Required users acknowledged policy
Confirm external communication Contracts, supplier packs, redacted policy Relevant external parties received requirements
Confirm topic-specific policies Policy register, linked documents Supporting policies exist and are linked
Confirm review schedule Policy review calendar Review frequency defined and appropriate
Confirm completed reviews Review minutes, change records Reviews happened as planned
Confirm triggered review process Incident/change/risk review procedure Significant changes trigger policy review
Confirm exception handling Exception procedure/register Exceptions are approved and risk-assessed
Confirm staff awareness Interviews/sample testing Personnel know policy exists and understand key duties
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 1

Note Metadata

Aliases: A.5.1 Audit Checklist

Source: 90 Templates/A.5.1 Audit Checklist.md