UnixTime

Research Note

Template - A.5.2 Audit Checklist

Research note.

On this page

A.5.2 Information Security Roles and Responsibilities

Audit test Evidence to request Pass criteria
Confirm overall information security responsibility Org chart, appointment letter, job description Named role/person responsible for information security
Confirm responsibilities for all personnel Job descriptions, handbook, policy acknowledgements Baseline responsibilities defined
Confirm role-specific responsibilities Admin role descriptions, incident team charter, system owner documents High-risk roles have specific responsibilities
Confirm communication Onboarding records, training records, emails Personnel were informed of responsibilities
Confirm acknowledgement Signed job descriptions, LMS attestations, contract acknowledgements Relevant people accepted responsibilities
Confirm consistency Compare policy, procedures, RACI, job descriptions No contradictions in responsibility assignment
Confirm currency Review dates, version history, HR records Documents are current and controlled
Confirm role change handling Addenda, reissued job descriptions, training records Changes are communicated and trained
Confirm contractor coverage Contracts, SOWs, access agreements Contractors have defined security duties
Confirm third-party accountability Supplier contracts, vendor owner records Internal owner manages outsourced activities
Confirm delegation control Delegation records, task tracking, review evidence Delegated tasks are verified by accountable owner
Confirm no ownership gaps RACI, control owner register, interviews Key security activities have accountable owners
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 2

Note Metadata

Aliases: A.5.2 Audit Checklist

Source: 90 Templates/A.5.2 Audit Checklist.md