UnixTime

Domain guide

What this domain covers

Evidence packs, audit questions, implementation proof, registers, and records that help prove controls are operating.

270 resources

Guide + resources

Grouped resources

Guide notes

Implementation context, reference notes, and explanatory material.

65 items
Framework note 03 mins read

A.5 Organizational Controls Audit Guide

This note gives the audit view for the currently documented A.5 organizational controls. Use the evidence packs for detailed requests and this guide for audit logic.

ISO27001 ISO27002 iso27001 auditor-guide
Framework note 02 mins read

A.6 People Controls Audit Guide

1. Select samples across employees, contractors, temporary staff, and third-party users. 2. Compare onboarding dates, agreement dates, screening completion dates, and access pro...

ISO27001 ISO27002 iso27001 auditor-guide
Framework note 04 mins read

A.7 Physical Controls Audit Guide

1. Review zone registers, floor/security diagrams, and risk assessment. 2. Walk the physical site and test practical bypass paths. 3. Observe badge use, visitor handling, recept...

ISO27001 ISO27002 iso27001 auditor-guide
Framework note 08 mins read

A.8 Technological Controls Audit Guide

1. Review policies and standards before sampling technical evidence. 2. Sample endpoint inventory against MDM/EDR/compliance reports. 3. Check remote access, timeout, encryption...

ISO27001 iso27001 auditor-guide technological-controls
Research note 01 min read

AQ-ISO27001-A.7.12 Cabling Security

Audit question set for ISO27001-A.7.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.13 Equipment Maintenance

Audit question set for ISO27001-A.7.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment

Audit question set for ISO27001-A.7.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Framework note 02 mins read

Internal Audit Execution Guide

- What risk does this control treat? - Who owns the control? - How do you know it operated during the audit period? - What happens when the control fails? - What evidence would...

ISO27001 iso27001 auditor-guide internal-audit
Framework note 01 min read

ISO 27001 Auditor Guide

This guide is the audit view of the vault. It turns the ISO/IEC 27001 and Annex A notes into audit planning, evidence testing, interview questions, findings, and corrective acti...

ISO27001 iso27001 auditor-guide internal-audit
Research note 01 min read

AQ-ISO27001-A.7.10 Storage Media

Audit question set for ISO27001-A.7.10. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.11 Supporting Utilities

Audit question set for ISO27001-A.7.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.9 Security of Assets Off-Premises

Audit question set for ISO27001-A.7.9. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.8 Equipment Siting and Protection

Audit question set for ISO27001-A.7.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.1 Screening

Audit question set for ISO27001-A.6.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.2 Terms and Conditions of Employment

Audit question set for ISO27001-A.6.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.4 Disciplinary Process

Audit question set for ISO27001-A.6.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.7 Remote Working

Audit question set for ISO27001-A.6.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.8 Information Security Event Reporting

Audit question set for ISO27001-A.6.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.1 Physical Security Perimeters

Audit question set for ISO27001-A.7.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.2 Physical Entry

Audit question set for ISO27001-A.7.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.3 Securing Offices, Rooms and Facilities

Audit question set for ISO27001-A.7.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.4 Physical Security Monitoring

Audit question set for ISO27001-A.7.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.6 Working in Secure Areas

Audit question set for ISO27001-A.7.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.7 Clear Desk and Clear Screen

Audit question set for ISO27001-A.7.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.33 Protection of Records

Audit question set for ISO27001-A.5.33. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.34 Privacy and Protection of PII

Audit question set for ISO27001-A.5.34. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.37 Documented Operating Procedures

Audit question set for ISO27001-A.5.37. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.28 Collection of Evidence

Audit question set for ISO27001-A.5.28. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.29 Information Security During Disruption

Audit question set for ISO27001-A.5.29. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.30 ICT Readiness for Business Continuity

Audit question set for ISO27001-A.5.30. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.32 Intellectual Property Rights

Audit question set for ISO27001-A.5.32. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.1 Policies for Information Security

Audit question set for ISO27001-A.5.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.11 Return of Assets

Audit question set for ISO27001-A.5.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.12 Classification of Information

Audit question set for ISO27001-A.5.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.13 Labelling of Information

Audit question set for ISO27001-A.5.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.14 Information Transfer

Audit question set for ISO27001-A.5.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.15 Access Control

Audit question set for ISO27001-A.5.15. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.16 Identity Management

Audit question set for ISO27001-A.5.16. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.17 Authentication Information

Audit question set for ISO27001-A.5.17. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.18 Access Rights

Audit question set for ISO27001-A.5.18. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.3 Segregation of Duties

Audit question set for ISO27001-A.5.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.4 Management Responsibilities

Audit question set for ISO27001-A.5.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.5 Contact with Authorities

Audit question set for ISO27001-A.5.5. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.6 Contact with Special Interest Groups

Audit question set for ISO27001-A.5.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.7 Threat Intelligence

Audit question set for ISO27001-A.5.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question

Controls

Control-level notes and control-domain references.

86 items
Framework note 06 mins read

ISO 27001 A.5.1 - Policies for Information Security

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.11 - Return of Assets

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or s...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.13 - Labelling of Information

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.14 - Information Transfer

The organization must define how information can be transferred safely, both internally and externally.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.15 - Access Control

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.16 - Identity Management

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.17 - Authentication Information

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.18 - Access Rights

Access rights must be granted, changed, reviewed, and removed through a controlled process.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.28 - Collection of Evidence

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.29 - Information Security During Disruption

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

ISO27001 ISO27002 iso27001 iso27002
Framework note 06 mins read

ISO 27001 A.5.3 - Segregation of Duties

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.30 - ICT Readiness for Business Continuity

The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.32 - Intellectual Property Rights

The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trade...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.33 - Protection of Records

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released w...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.34 - Privacy and Protection of PII

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then...

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.35 - Independent Review of Information Security

The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.37 - Documented Operating Procedures

The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.4 - Management Responsibilities

Management must require all personnel to apply information security in accordance with the organization's information security policy, topic-specific policies, and procedures.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.5 - Contact with Authorities

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory reques...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.6 - Contact with Special Interest Groups

The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.7 - Threat Intelligence

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.1 - Screening

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or re...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.2 - Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.4 - Disciplinary Process

The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and mana...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally u...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.7 - Remote Working

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.8 - Information Security Event Reporting

People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.1 - Physical Security Perimeters

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area,...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.10 - Storage Media

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carr...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.11 - Supporting Utilities

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and bu...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.12 - Cabling Security

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they...

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.7.13 - Equipment Maintenance

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep m...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment

Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no lon...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.2 - Physical Entry

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.4 - Physical Security Monitoring

The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.6 - Working in Secure Areas

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cov...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.7 - Clear Desk and Clear Screen

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, al...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.8 - Equipment Siting and Protection

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.9 - Security of Assets Off-Premises

The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.1 - User End Point Devices

The organization should protect laptops, desktops, mobile phones, tablets, personal devices, and other endpoint devices that users rely on to access organizational information.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.10 - Information Deletion

The organization should not keep information forever just because storage is cheap. When information is no longer needed for business, legal, regulatory, contractual, or evidenc...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.11 - Data Masking

The organization should hide, replace, tokenize, pseudonymize, or anonymize sensitive data where full visibility is not needed. The goal is to let people or systems use data for...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.12 - Data Leakage Prevention

The organization should prevent sensitive information from leaving approved locations, systems, networks, or channels without authorization. This requires understanding which in...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.13 - Information Backup

The organization should make backup copies of important information, software, and systems, protect those backups, and regularly test whether they can actually be restored.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.15 - Logging

The organization should collect useful logs, protect them from tampering, keep them long enough, and review or analyse them so security-relevant events can be detected and inves...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.8.16 - Monitoring Activities

The organization should actively watch important technology environments for signs that something abnormal or suspicious is happening. Monitoring should help detect possible att...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.2 - Privileged Access Rights

Privileged access allows users to administer systems, override controls, change configurations, access sensitive data, or recover systems during failure. Because privileged acce...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.20 - Networks Security

Networks are not just cables and routers. They are trust paths between users, systems, applications, cloud services, suppliers, and management interfaces. If the network is poor...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.21 - Security of Network Services

When the organization uses network services, especially third-party network services, it should know exactly what security features and service levels are required, what the pro...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.22 - Segregation of Networks

Large flat networks are hard to defend. Network segregation divides users, systems, and services into smaller physical or logical zones so traffic between them can be controlled.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.23 - Web Filtering

Users can be compromised by visiting malicious websites, downloading fake tools, following phishing links, or connecting to command-and-control infrastructure. Web filtering red...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.24 - Use of Cryptography

The organization should define when cryptography is required, what approved cryptographic methods may be used, who manages keys, how keys are protected, and how cryptographic co...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.25 - Secure Development Life Cycle

Development work should follow secure rules from the beginning. This applies to software, services, networks, infrastructure, environments, and systems that are built or changed...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.26 - Application Security Requirements

Application security requirements should be defined before the application is built, bought, integrated, or changed. The organization should decide what security the application...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.28 - Secure Coding

Developers should follow secure coding standards that fit the languages, frameworks, tools, and risk level of the software being built. The standard should explain both general...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.8.3 - Information Access Restriction

The organization should make sure users can only access the information, functions, applications, databases, reports, exports, and assets they need for their role.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.4 - Access to Source Code

Source code, build tools, compilers, package repositories, CI/CD pipelines, and software libraries can directly change how systems behave. If an attacker or unauthorized insider...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.5 - Secure Authentication

Authentication is the point where a system tests whether the person, service, or device claiming an identity should be accepted. Secure authentication means the logon process do...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.6 - Capacity Management

The organization should know whether its systems, networks, storage, cloud services, databases, staff, and other resources can support current and future demand. Capacity manage...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.8.7 - Protection Against Malware

The organization should reduce the chance that malicious software infects systems, spreads through files or connected services, damages information, or gives attackers unauthori...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.8 - Management of Technical Vulnerabilities

The organization should actively find out what vulnerabilities affect its systems, assess how exposed it is, and respond in a risk-based timeframe. Response can include patching...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.8.9 - Configuration Management

The organization should define what secure and acceptable configuration looks like, apply it, monitor whether systems stay aligned to it, and review exceptions. If approved conf...

ISO27001 ISO27002 iso27001 iso27002

Evidence packs

Audit evidence packs, registers, proof records, and evidence examples.

59 items
Template note 02 mins read

A.5.1 Audit Evidence Pack

The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.10 Audit Evidence Pack

The auditor wants to confirm that acceptable use rules and information handling procedures are defined, communicated, acknowledged, implemented, and enforced for relevant users...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.11 Audit Evidence Pack

The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or rol...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.12 Audit Evidence Pack

The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availabi...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.13 Audit Evidence Pack

The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.14 Audit Evidence Pack

The auditor wants to confirm that the organization has documented and implemented rules, procedures, or agreements for transferring information internally and externally across...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.15 Audit Evidence Pack

The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.16 Audit Evidence Pack

The auditor wants to confirm that identities are uniquely registered where possible and managed through the full lifecycle: creation, authorization, change, review, disabling, d...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.17 Audit Evidence Pack

The auditor wants to confirm that secret authentication information is issued, managed, changed, reset, stored, and handled through a controlled process, and that users understa...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.18 Audit Evidence Pack

The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.19 Audit Evidence Pack

The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.2 Audit Evidence Pack

The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.20 Audit Evidence Pack

The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information s...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.21 Audit Evidence Pack

The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting pro...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.22 Audit Evidence Pack

The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.23 Audit Evidence Pack

The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization's information security requirements.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.24 Audit Evidence Pack

The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, an...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.25 Audit Evidence Pack

The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and tim...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.26 Audit Evidence Pack

The auditor wants to confirm that confirmed information security incidents are responded to according to documented procedures and that response decisions, actions, responsibili...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.27 Audit Evidence Pack

The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.28 Audit Evidence Pack

The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information securi...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.29 Audit Evidence Pack

The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requ...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.3 Audit Evidence Pack

The auditor wants to confirm that conflicting duties and responsibilities have been identified and segregated, or that compensating controls exist where segregation is not pract...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.30 Audit Evidence Pack

The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.31 Audit Evidence Pack

The auditor wants to confirm that applicable legal, statutory, regulatory, and contractual information security requirements are identified, documented, owned, kept current, and...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.32 Audit Evidence Pack

The auditor wants to confirm that procedures protect intellectual property rights and that software, content, source code, libraries, and AI-generated material are used within a...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.33 Audit Evidence Pack

The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention,...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.34 Audit Evidence Pack

The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.35 Audit Evidence Pack

The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findin...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.36 Audit Evidence Pack

The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with finding...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.37 Audit Evidence Pack

The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.4 Audit Evidence Pack

The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.5 Audit Evidence Pack

The auditor wants to confirm that the organization has identified relevant authorities, assigned authorized liaison roles, defined contact triggers, maintained accurate contact...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.6 Audit Evidence Pack

The auditor wants to confirm that the organization maintains proportionate contact with relevant specialist security groups, forums, or professional associations and that useful...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.7 Audit Evidence Pack

The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement,...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.8 Audit Evidence Pack

The auditor wants to confirm that information security is integrated into the project management method and applied in real projects from initiation through transition to operat...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.9 Audit Evidence Pack

The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, a...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.1 Audit Evidence Pack

The auditor wants evidence that background verification checks are defined, applied, documented, and protected as personal data.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.2 Audit Evidence Pack

The auditor wants evidence that security responsibilities are defined, accepted, role-appropriate, current, and applicable to employees, contractors, and third-party users in sc...

ISO27001 ISO27002 audit evidence
Template note 03 mins read

A.6.3 Audit Evidence Pack

The auditor wants evidence that training is role-relevant, current, recorded, repeated where needed, and improved based on effectiveness feedback.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.4 Audit Evidence Pack

The auditor wants evidence that the organization can respond fairly and consistently when personnel or relevant interested parties violate information security policy.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.5 Audit Evidence Pack

The auditor wants proof that old access and assets are removed, relevant parties are notified, and continuing duties are communicated after termination or role change.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.6 Audit Evidence Pack

The auditor wants evidence that agreements reflect actual confidentiality requirements and are legally usable where needed.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.7 Audit Evidence Pack

The auditor wants evidence that information remains protected when accessed, processed, or stored outside organization premises.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.8 Audit Evidence Pack

The auditor wants proof that reporting channels are known, usable, timely, and connected to event assessment and incident management.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.1 Audit Evidence Pack

The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.10 Audit Evidence Pack

- Media handling follows classification. - Media is inventoried and labelled where appropriate. - Dispatches are authorized and recorded. - Sensitive media is protected during t...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.11 Audit Evidence Pack

- Critical facilities have documented utility dependencies. - UPS/generator tests include load, runtime, cooling, and maintenance evidence. - Alarms detect utility failures and...

ISO27001 ISO27002 audit evidence
Template note 01 min read

A.7.12 Audit Evidence Pack

- Cable routes are documented and protected. - Power/data segregation is implemented where needed. - Patch panels, cabinets, and connections are locked or access-controlled. - L...

ISO27001 ISO27002 audit evidence
Template note 01 min read

A.7.13 Audit Evidence Pack

- Maintenance is scheduled and recorded. - Faults and repairs are tracked. - Maintainers are authorized and qualified. - External maintainers are escorted where required. - Conf...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.14 Audit Evidence Pack

- Records identify asset, storage media, classification, method, verifier, and date. - Sanitization method matches media type and sensitivity. - Contractor records are asset-spe...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.2 Audit Evidence Pack

The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.3 Audit Evidence Pack

- Controls are based on value, liability, importance, and classification. - Sensitive room purpose is not unnecessarily exposed. - Internal directories and access clues are prot...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.4 Audit Evidence Pack

- Monitoring scope is documented and risk-based. - Alerts have owners, response times, and escalation paths. - Monitoring tests are performed and recorded. - Monitoring staff kn...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.5 Audit Evidence Pack

- Hazard assessment includes site, room, utility, and neighbor risks. - Specialist advice exists for material hazards. - Controls are implemented and maintained. - Continuity ar...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.6 Audit Evidence Pack

- Secure-area work is identified and risk-assessed. - Need-to-know, device, media, supervision, and dual-control rules are documented. - Employees, contractors, and third partie...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.7 Audit Evidence Pack

- Rules cover papers, removable media, screens, printers, faxes, storage, and confidential waste. - Auto-lock settings are enforced. - Sensitive print/fax workflows are controll...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.8 Audit Evidence Pack

- Equipment inventory includes location, owner, and protection requirement. - Siting assessment covers physical, environmental, viewing, access, and interference risks. - Networ...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.9 Audit Evidence Pack

- Asset removal is authorized and logged. - Off-site assets are recorded with custodian, location, and review date. - Mobile devices are encrypted and managed. - Long-term loans...

ISO27001 ISO27002 audit evidence

Templates

Reusable implementation, audit, and operational templates.

59 items
Template note 01 min read

A.5.10 Audit Checklist

Use this during internal audits to verify that acceptable use and handling rules are defined, acknowledged, implemented, and enforced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.11 Audit Checklist

Use this during internal audits to verify that assets are returned during termination, contract end, agreement end, or role change.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.12 Audit Checklist

Use this during internal audits to verify that information classification is defined, implemented, understood, and maintained.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.13 Audit Checklist

Use this during internal audits to verify that information labelling procedures are defined and implemented in line with the classification scheme.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.14 Audit Checklist

Use this during internal audits to verify that information transfer rules, procedures, and agreements are defined and implemented across actual transfer channels.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.15 Audit Checklist

Use this during internal audits to verify that physical and logical access controls are defined, implemented, approved, and reviewed.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.16 Audit Checklist

Use this during internal audits to verify that identities are managed across the full lifecycle.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.17 Audit Checklist

Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.18 Audit Checklist

Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.19 Audit Checklist

Use this during internal audits to verify that supplier information security risks are identified, assessed, controlled, and reviewed.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.20 Audit Checklist

Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.21 Audit Checklist

Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.22 Audit Checklist

Use this during internal audits to verify that supplier services and security practices are monitored, reviewed, evaluated, and changed through a controlled process.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.23 Audit Checklist

Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.24 Audit Checklist

Use this during internal audits to verify that incident management planning and preparation are defined, communicated, and ready to operate.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.25 Audit Checklist

Use this during internal audits to test whether A.5.25 Assessment and Decision on Information Security Events is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.26 Audit Checklist

Use this during internal audits to test whether A.5.26 Response to Information Security Incidents is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.27 Audit Checklist

Use this during internal audits to test whether A.5.27 Learning from Information Security Incidents is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.28 Audit Checklist

Use this during internal audits to test whether A.5.28 Collection of Evidence is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.29 Audit Checklist

Use this during internal audits to test whether A.5.29 Information Security During Disruption is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.30 Audit Checklist

Use this during internal audits to test whether A.5.30 ICT Readiness for Business Continuity is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.31 Audit Checklist

Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.32 Audit Checklist

Use this during internal audits to test whether A.5.32 Intellectual Property Rights is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.33 Audit Checklist

Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.34 Audit Checklist

Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.35 Audit Checklist

Use this during internal audits to test whether A.5.35 Independent Review of Information Security is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.36 Audit Checklist

Use this during internal audits to test whether A.5.36 Compliance with Policies, Rules and Standards for Information Security is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.37 Audit Checklist

Use this during internal audits to test whether A.5.37 Documented Operating Procedures is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.5 Audit Checklist

Use this during internal audits to test whether relevant authority contacts are identified, maintained, authorized, and usable.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.6 Audit Checklist

Use this during internal audits to verify that the organization maintains relevant external security knowledge contacts and uses received information appropriately.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.7 Audit Checklist

Use this during internal audits to verify that threat information is collected, analyzed, contextualized, and used to support ISMS decisions.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.8 Audit Checklist

Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.9 Audit Checklist

Use this during internal audits to verify that information and associated assets are inventoried, owned, maintained, and protected.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.1 Audit Checklist

- Confirm the organization has a documented screening procedure. - Confirm screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope. - C...

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.2 Audit Checklist

Use this checklist during an internal audit of employment, contractor, and third-party security responsibility terms.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.3 Audit Checklist

Use this checklist during an internal audit of information security awareness, education, training, and update processes.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.4 Audit Checklist

Use this checklist during an internal audit of disciplinary handling for information security policy violations.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.5 Audit Checklist

Use this checklist during an internal audit of leaver, mover, contractor offboarding, and continuing responsibility controls.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.6 Audit Checklist

Use this checklist during an internal audit of confidentiality and non-disclosure agreement controls.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.7 Audit Checklist

- Confirm remote working policy and procedures exist. - Confirm authorized remote workers, locations, activities, data, and controls are recorded. - Check remote working risk as...

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.8 Audit Checklist

Use this checklist during an internal audit of information security event reporting.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.1 Audit Checklist

- Confirm physical security perimeters are defined. - Confirm zones are linked to information/assets and risk. - Review perimeter diagrams or zone register. - Walk the perimeter...

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.10 Audit Checklist

Use this checklist during an internal audit of storage media acquisition, use, transport, storage, disposal, destruction, and damaged-media handling.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.11 Audit Checklist

Use this checklist during an internal audit of power, cooling, telecommunications, water, emergency lighting, fire protection, and building-management utility resilience.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.12 Audit Checklist

Use this checklist during an internal audit of power, data, telecommunications, and supporting service cabling.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.13 Audit Checklist

Use this checklist during an internal audit of equipment maintenance and repair controls.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.14 Audit Checklist

Use this checklist during an internal audit of equipment disposal, reuse, sale, donation, recycling, or repair dispatch.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.2 Audit Checklist

- Confirm secure areas are identified. - Confirm entry controls match risk and sensitivity. - Review physical access authorization and logs. - Check physical access review recor...

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.3 Audit Checklist

Use this checklist during an internal audit of physical security design for offices, rooms, and facilities.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.4 Audit Checklist

- Confirm premises monitoring scope is documented. - Confirm monitoring is continuous where required. - Review monitoring service or personnel responsibilities. - Check alarm re...

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.5 Audit Checklist

Use this checklist during an internal audit of physical and environmental threat protection.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.6 Audit Checklist

Use this checklist during an internal audit of work performed inside secure areas.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.7 Audit Checklist

Use this checklist during an internal audit of clear desk, clear screen, printer, fax, and unattended information controls.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.8 Audit Checklist

Use this checklist during an internal audit of equipment siting, physical protection, environmental exposure, and remote equipment scope.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.9 Audit Checklist

Use this checklist during an internal audit of assets taken, used, stored, or accessed outside organization premises.

ISO27001 ISO27002 template audit

Exam prep

Study notes and distinction cues for certification preparation.

1 item

Deep links

Link to this domain with /research/iso27001/audit-evidence/ . Link directly to exact notes from any resource card above.