A.5 Organizational Controls Audit Guide
This note gives the audit view for the currently documented A.5 organizational controls. Use the evidence packs for detailed requests and this guide for audit logic.
ISO27001 domain with 270 resources grouped for implementation and audit work.
Domain guide
Evidence packs, audit questions, implementation proof, registers, and records that help prove controls are operating.
Guide + resources
Implementation context, reference notes, and explanatory material.
This note gives the audit view for the currently documented A.5 organizational controls. Use the evidence packs for detailed requests and this guide for audit logic.
1. Select samples across employees, contractors, temporary staff, and third-party users. 2. Compare onboarding dates, agreement dates, screening completion dates, and access pro...
1. Review zone registers, floor/security diagrams, and risk assessment. 2. Walk the physical site and test practical bypass paths. 3. Observe badge use, visitor handling, recept...
1. Review policies and standards before sampling technical evidence. 2. Sample endpoint inventory against MDM/EDR/compliance reports. 3. Check remote access, timeout, encryption...
Audit question set for ISO27001-A.7.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
- What risk does this control treat? - Who owns the control? - How do you know it operated during the audit period? - What happens when the control fails? - What evidence would...
This guide is the audit view of the vault. It turns the ISO/IEC 27001 and Annex A notes into audit planning, evidence testing, interview questions, findings, and corrective acti...
Audit question set for ISO27001-A.7.10. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.9. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.6.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.6.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.6.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.6.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.6.5. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.6.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.6.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.6.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.5. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.33. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.34. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.35. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.36. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.37. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.23. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.24. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.25. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.26. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.27. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.28. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.29. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.30. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.31. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.32. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.10. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.15. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.16. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.17. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.18. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.19. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.20. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.21. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.22. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.5. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.9. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Control-level notes and control-domain references.
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant...
People must know how they are allowed to use organizational information and assets, and how they must handle information based on sensitivity and classification.
When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or s...
Information must be grouped by protection need so people know how carefully to handle it.
If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.
The organization must define how information can be transferred safely, both internally and externally.
The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.
Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.
The organization must control how secret authentication information is issued, changed, protected, reset, and handled.
Access rights must be granted, changed, reviewed, and removed through a controlled process.
The organization must manage information security risks created by suppliers, supplier products, and supplier services.
Information security roles and responsibilities must be defined and allocated according to organizational needs.
The organization must put the right security requirements into supplier contracts or agreements before the supplier receives access to information, systems, facilities, or servi...
The organization must manage security risks that come through ICT suppliers and the suppliers behind those suppliers.
Supplier security does not end when the contract is signed. The organization must keep checking whether the supplier is delivering the agreed service securely, whether controls...
Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services...
The organization must prepare before incidents happen. It needs defined and communicated incident management processes, roles, responsibilities, escalation paths, and recovery c...
The organization must review reported security events and make a clear, recorded decision: is this just an event, or is it an information security incident that needs formal res...
Once an event is categorized as an incident, the organization must respond using documented procedures rather than improvising.
The organization must turn incident experience into better controls, procedures, awareness, risk treatment, and response capability.
The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.
The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.
No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.
The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.
The organization must know which legal, statutory, regulatory, and contractual information security requirements apply, document them, keep them current, and define how it will...
The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trade...
The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released w...
The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then...
The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.
The organization must regularly check whether people, processes, and systems comply with its information security policies, rules, standards, and technical implementation requir...
The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.
Management must require all personnel to apply information security in accordance with the organization's information security policy, topic-specific policies, and procedures.
The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory reques...
The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated...
The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.
Projects must handle information security from the start, not as a late review before go-live.
The organization must know what information and related assets it has, where they are, who owns them, how important they are, and how they are protected.
The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or re...
People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security...
People need to know how to behave securely in their actual role. Everyone needs baseline awareness, but people with specific responsibilities need deeper training that matches t...
The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and mana...
When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duti...
The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally u...
When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices...
People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people...
The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area,...
The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carr...
Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and bu...
Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they...
Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep m...
Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no lon...
If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are...
The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.
The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of...
The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threa...
The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cov...
People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, al...
The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.
The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.
The organization should protect laptops, desktops, mobile phones, tablets, personal devices, and other endpoint devices that users rely on to access organizational information.
The organization should not keep information forever just because storage is cheap. When information is no longer needed for business, legal, regulatory, contractual, or evidenc...
The organization should hide, replace, tokenize, pseudonymize, or anonymize sensitive data where full visibility is not needed. The goal is to let people or systems use data for...
The organization should prevent sensitive information from leaving approved locations, systems, networks, or channels without authorization. This requires understanding which in...
The organization should make backup copies of important information, software, and systems, protect those backups, and regularly test whether they can actually be restored.
The organization should design critical processing facilities so that a single failure does not create unacceptable downtime. Redundancy may involve duplicate equipment, cluster...
The organization should collect useful logs, protect them from tampering, keep them long enough, and review or analyse them so security-relevant events can be detected and inves...
The organization should actively watch important technology environments for signs that something abnormal or suspicious is happening. Monitoring should help detect possible att...
Operational systems should not accept software changes just because someone has technical ability to install them. New software, updates, libraries, patches, scripts, packages,...
Privileged access allows users to administer systems, override controls, change configurations, access sensitive data, or recover systems during failure. Because privileged acce...
Networks are not just cables and routers. They are trust paths between users, systems, applications, cloud services, suppliers, and management interfaces. If the network is poor...
When the organization uses network services, especially third-party network services, it should know exactly what security features and service levels are required, what the pro...
Large flat networks are hard to defend. Network segregation divides users, systems, and services into smaller physical or logical zones so traffic between them can be controlled.
Users can be compromised by visiting malicious websites, downloading fake tools, following phishing links, or connecting to command-and-control infrastructure. Web filtering red...
The organization should define when cryptography is required, what approved cryptographic methods may be used, who manages keys, how keys are protected, and how cryptographic co...
Development work should follow secure rules from the beginning. This applies to software, services, networks, infrastructure, environments, and systems that are built or changed...
Application security requirements should be defined before the application is built, bought, integrated, or changed. The organization should decide what security the application...
The organization should define architectural and engineering principles that guide how systems are designed securely. These principles should be documented, maintained, and used...
Developers should follow secure coding standards that fit the languages, frameworks, tools, and risk level of the software being built. The standard should explain both general...
Security testing should be planned, performed, recorded, and used as part of development and acceptance. It should not be left until the final days before go-live.
The organization should make sure users can only access the information, functions, applications, databases, reports, exports, and assets they need for their role.
Source code, build tools, compilers, package repositories, CI/CD pipelines, and software libraries can directly change how systems behave. If an attacker or unauthorized insider...
Authentication is the point where a system tests whether the person, service, or device claiming an identity should be accepted. Secure authentication means the logon process do...
The organization should know whether its systems, networks, storage, cloud services, databases, staff, and other resources can support current and future demand. Capacity manage...
The organization should reduce the chance that malicious software infects systems, spreads through files or connected services, damages information, or gives attackers unauthori...
The organization should actively find out what vulnerabilities affect its systems, assess how exposed it is, and respond in a risk-based timeframe. Response can include patching...
The organization should define what secure and acceptable configuration looks like, apply it, monitor whether systems stay aligned to it, and review exceptions. If approved conf...
Audit evidence packs, registers, proof records, and evidence examples.
The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.
The auditor wants to confirm that acceptable use rules and information handling procedures are defined, communicated, acknowledged, implemented, and enforced for relevant users...
The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or rol...
The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availabi...
The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.
The auditor wants to confirm that the organization has documented and implemented rules, procedures, or agreements for transferring information internally and externally across...
The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.
The auditor wants to confirm that identities are uniquely registered where possible and managed through the full lifecycle: creation, authorization, change, review, disabling, d...
The auditor wants to confirm that secret authentication information is issued, managed, changed, reset, stored, and handled through a controlled process, and that users understa...
The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.
The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.
The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to...
The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information s...
The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting pro...
The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.
The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization's information security requirements.
The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, an...
The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and tim...
The auditor wants to confirm that confirmed information security incidents are responded to according to documented procedures and that response decisions, actions, responsibili...
The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.
The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information securi...
The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requ...
The auditor wants to confirm that conflicting duties and responsibilities have been identified and segregated, or that compensating controls exist where segregation is not pract...
The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.
The auditor wants to confirm that applicable legal, statutory, regulatory, and contractual information security requirements are identified, documented, owned, kept current, and...
The auditor wants to confirm that procedures protect intellectual property rights and that software, content, source code, libraries, and AI-generated material are used within a...
The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention,...
The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and...
The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findin...
The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with finding...
The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used...
The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.
The auditor wants to confirm that the organization has identified relevant authorities, assigned authorized liaison roles, defined contact triggers, maintained accurate contact...
The auditor wants to confirm that the organization maintains proportionate contact with relevant specialist security groups, forums, or professional associations and that useful...
The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement,...
The auditor wants to confirm that information security is integrated into the project management method and applied in real projects from initiation through transition to operat...
The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, a...
The auditor wants evidence that background verification checks are defined, applied, documented, and protected as personal data.
The auditor wants evidence that security responsibilities are defined, accepted, role-appropriate, current, and applicable to employees, contractors, and third-party users in sc...
The auditor wants evidence that training is role-relevant, current, recorded, repeated where needed, and improved based on effectiveness feedback.
The auditor wants evidence that the organization can respond fairly and consistently when personnel or relevant interested parties violate information security policy.
The auditor wants proof that old access and assets are removed, relevant parties are notified, and continuing duties are communicated after termination or role change.
The auditor wants evidence that agreements reflect actual confidentiality requirements and are legally usable where needed.
The auditor wants evidence that information remains protected when accessed, processed, or stored outside organization premises.
The auditor wants proof that reporting channels are known, usable, timely, and connected to event assessment and incident management.
The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.
- Media handling follows classification. - Media is inventoried and labelled where appropriate. - Dispatches are authorized and recorded. - Sensitive media is protected during t...
- Critical facilities have documented utility dependencies. - UPS/generator tests include load, runtime, cooling, and maintenance evidence. - Alarms detect utility failures and...
- Cable routes are documented and protected. - Power/data segregation is implemented where needed. - Patch panels, cabinets, and connections are locked or access-controlled. - L...
- Maintenance is scheduled and recorded. - Faults and repairs are tracked. - Maintainers are authorized and qualified. - External maintainers are escorted where required. - Conf...
- Records identify asset, storage media, classification, method, verifier, and date. - Sanitization method matches media type and sensitivity. - Contractor records are asset-spe...
The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.
- Controls are based on value, liability, importance, and classification. - Sensitive room purpose is not unnecessarily exposed. - Internal directories and access clues are prot...
- Monitoring scope is documented and risk-based. - Alerts have owners, response times, and escalation paths. - Monitoring tests are performed and recorded. - Monitoring staff kn...
- Hazard assessment includes site, room, utility, and neighbor risks. - Specialist advice exists for material hazards. - Controls are implemented and maintained. - Continuity ar...
- Secure-area work is identified and risk-assessed. - Need-to-know, device, media, supervision, and dual-control rules are documented. - Employees, contractors, and third partie...
- Rules cover papers, removable media, screens, printers, faxes, storage, and confidential waste. - Auto-lock settings are enforced. - Sensitive print/fax workflows are controll...
- Equipment inventory includes location, owner, and protection requirement. - Siting assessment covers physical, environmental, viewing, access, and interference risks. - Networ...
- Asset removal is authorized and logged. - Off-site assets are recorded with custodian, location, and review date. - Mobile devices are encrypted and managed. - Long-term loans...
Reusable implementation, audit, and operational templates.
Use this during internal audits to verify that acceptable use and handling rules are defined, acknowledged, implemented, and enforced.
Use this during internal audits to verify that assets are returned during termination, contract end, agreement end, or role change.
Use this during internal audits to verify that information classification is defined, implemented, understood, and maintained.
Use this during internal audits to verify that information labelling procedures are defined and implemented in line with the classification scheme.
Use this during internal audits to verify that information transfer rules, procedures, and agreements are defined and implemented across actual transfer channels.
Use this during internal audits to verify that physical and logical access controls are defined, implemented, approved, and reviewed.
Use this during internal audits to verify that identities are managed across the full lifecycle.
Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.
Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.
Use this during internal audits to verify that supplier information security risks are identified, assessed, controlled, and reviewed.
Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.
Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.
Use this during internal audits to verify that supplier services and security practices are monitored, reviewed, evaluated, and changed through a controlled process.
Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.
Use this during internal audits to verify that incident management planning and preparation are defined, communicated, and ready to operate.
Use this during internal audits to test whether A.5.25 Assessment and Decision on Information Security Events is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.26 Response to Information Security Incidents is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.27 Learning from Information Security Incidents is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.28 Collection of Evidence is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.29 Information Security During Disruption is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.30 ICT Readiness for Business Continuity is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.32 Intellectual Property Rights is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.35 Independent Review of Information Security is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.36 Compliance with Policies, Rules and Standards for Information Security is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.37 Documented Operating Procedures is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether relevant authority contacts are identified, maintained, authorized, and usable.
Use this during internal audits to verify that the organization maintains relevant external security knowledge contacts and uses received information appropriately.
Use this during internal audits to verify that threat information is collected, analyzed, contextualized, and used to support ISMS decisions.
Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.
Use this during internal audits to verify that information and associated assets are inventoried, owned, maintained, and protected.
- Confirm the organization has a documented screening procedure. - Confirm screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope. - C...
Use this checklist during an internal audit of employment, contractor, and third-party security responsibility terms.
Use this checklist during an internal audit of information security awareness, education, training, and update processes.
Use this checklist during an internal audit of disciplinary handling for information security policy violations.
Use this checklist during an internal audit of leaver, mover, contractor offboarding, and continuing responsibility controls.
Use this checklist during an internal audit of confidentiality and non-disclosure agreement controls.
- Confirm remote working policy and procedures exist. - Confirm authorized remote workers, locations, activities, data, and controls are recorded. - Check remote working risk as...
Use this checklist during an internal audit of information security event reporting.
- Confirm physical security perimeters are defined. - Confirm zones are linked to information/assets and risk. - Review perimeter diagrams or zone register. - Walk the perimeter...
Use this checklist during an internal audit of storage media acquisition, use, transport, storage, disposal, destruction, and damaged-media handling.
Use this checklist during an internal audit of power, cooling, telecommunications, water, emergency lighting, fire protection, and building-management utility resilience.
Use this checklist during an internal audit of power, data, telecommunications, and supporting service cabling.
Use this checklist during an internal audit of equipment maintenance and repair controls.
Use this checklist during an internal audit of equipment disposal, reuse, sale, donation, recycling, or repair dispatch.
- Confirm secure areas are identified. - Confirm entry controls match risk and sensitivity. - Review physical access authorization and logs. - Check physical access review recor...
Use this checklist during an internal audit of physical security design for offices, rooms, and facilities.
- Confirm premises monitoring scope is documented. - Confirm monitoring is continuous where required. - Review monitoring service or personnel responsibilities. - Check alarm re...
Use this checklist during an internal audit of physical and environmental threat protection.
Use this checklist during an internal audit of work performed inside secure areas.
Use this checklist during an internal audit of clear desk, clear screen, printer, fax, and unattended information controls.
Use this checklist during an internal audit of equipment siting, physical protection, environmental exposure, and remote equipment scope.
Use this checklist during an internal audit of assets taken, used, stored, or accessed outside organization premises.
Research note.
Research note.
Research note.
Research note.
Study notes and distinction cues for certification preparation.
The exam often tests the difference between intent, documentation, and operating evidence.
Link to this domain with /research/iso27001/audit-evidence/ . Link directly to exact notes from any resource card above.