Related control
A.5.2 Information Security Roles and Responsibilities
| Audit test | Evidence to request | Pass criteria |
|---|---|---|
| Confirm overall information security responsibility | Org chart, appointment letter, job description | Named role/person responsible for information security |
| Confirm responsibilities for all personnel | Job descriptions, handbook, policy acknowledgements | Baseline responsibilities defined |
| Confirm role-specific responsibilities | Admin role descriptions, incident team charter, system owner documents | High-risk roles have specific responsibilities |
| Confirm communication | Onboarding records, training records, emails | Personnel were informed of responsibilities |
| Confirm acknowledgement | Signed job descriptions, LMS attestations, contract acknowledgements | Relevant people accepted responsibilities |
| Confirm consistency | Compare policy, procedures, RACI, job descriptions | No contradictions in responsibility assignment |
| Confirm currency | Review dates, version history, HR records | Documents are current and controlled |
| Confirm role change handling | Addenda, reissued job descriptions, training records | Changes are communicated and trained |
| Confirm contractor coverage | Contracts, SOWs, access agreements | Contractors have defined security duties |
| Confirm third-party accountability | Supplier contracts, vendor owner records | Internal owner manages outsourced activities |
| Confirm delegation control | Delegation records, task tracking, review evidence | Delegated tasks are verified by accountable owner |
| Confirm no ownership gaps | RACI, control owner register, interviews | Key security activities have accountable owners |
- Iso27001
- ISO27002
- Template
- Audit
- A5 2
Note Metadata
Aliases: A.5.2 Audit Checklist
Source: 90 Templates/A.5.2 Audit Checklist.md