UnixTime

Research Note

A.6.2 Audit Checklist

Use this checklist during an internal audit of employment, contractor, and third-party security responsibility terms.

On this page

When to use this

Use this checklist during an internal audit of employment, contractor, and third-party security responsibility terms.

Audit checklist

  • Confirm employment and contractual agreements state information security responsibilities.
  • Confirm agreements cover employees, contractors, and third-party users in scope.
  • Sample records and verify terms were accepted before work or access began.
  • Confirm confidentiality agreements are signed before access to confidential information.
  • Check whether terms cover legal duties, classification handling, acceptable use, and non-compliance consequences.
  • Check whether remote work, customer-site work, and outside-hours responsibilities are covered where relevant.
  • Check whether post-employment obligations are included where legally permitted.
  • Confirm terms are updated when role or security responsibilities change.
  • Confirm the organization’s responsibilities for personnel personal data are stated.
  • Record nonconformities, observations, and improvement actions.

Findings table

Sample Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD