Day 2: ISO 27001:2022 Audit Questionnaire (Organizational Controls)

Focus Area: Organizational Controls (A.5.1–A.5.23)

Objective: Collaboratively assess key governance controls, including policies, roles, assets, risks, and supplier relationships, to ensure a strong ISMS foundation.

Personnel Needed: ISMS owner, risk owners, procurement team, IT staff

Total Questions: 58 (averaging 2-3 per control based on complexity)

Day 2 Schedule

9:00 AM - 12:00 PM

A.5.1–A.5.12

Policies, Roles, Assets

12:00 PM - 1:00 PM

Lunch/Break

1:00 PM - 5:00 PM

A.5.13–A.5.23

Access, Suppliers, Cloud

Morning Session: Policies, Roles & Assets (A.5.1–A.5.12)

Policies for Information Security

A.5.1
  1. Is there a set of information security policies in place? Can we review the latest versions together (e.g., policy documents)?
  2. How are these policies reviewed and updated to stay relevant? Can we look at the process or schedule (e.g., review logs)?
  3. Who approves the policies, and how is this tracked? Can we see the approval records (e.g., signatures, emails)?

Information Security Roles and Responsibilities

A.5.2
  1. Are security roles and responsibilities defined for all relevant personnel? Can we go through the documentation together (e.g., org chart, job descriptions)?
  2. How do you ensure these roles are assigned and understood? Can we see assignment records or acknowledgment forms (e.g., signed agreements)?
  3. How do you verify staff are fulfilling these responsibilities? Can we discuss monitoring methods (e.g., performance reviews)?

Segregation of Duties

A.5.3
  1. How do you ensure conflicting duties are separated to prevent fraud or errors? Can we review how this is applied in a process (e.g., who requests vs. who approves a payment or system change)?
  2. Are there documented roles or procedures showing segregation? Can we look at examples (e.g., process flowcharts, role descriptions)?
  3. How do you detect if segregation fails or is bypassed? Can we discuss the monitoring controls (e.g., system logs, exception reports)?

Management Responsibilities

A.5.4
  1. How does management ensure security policies are followed? Can we talk about oversight practices (e.g., meeting minutes)?
  2. Are managers accountable for security in their areas? Can we see how this is tracked (e.g., performance reviews, accountability logs)?
  3. How does management address security gaps? Can we discuss recent examples (e.g., action plans)?

Contact with Authorities

A.5.5
  1. How do you identify and maintain contact with relevant authorities? Can we review the contact list or procedure (e.g., emergency contact sheet)?
  2. When was this last used or tested? Can we discuss any recent examples (e.g., communication logs)?

Contact with Special Interest Groups

A.5.6
  1. Are you involved with security forums or groups? Can we look at your participation details (e.g., membership list)?
  2. How do you use this information to improve security? Can we discuss some examples (e.g., meeting notes)?

Threat Intelligence

A.5.7
  1. How do you collect and analyze threat intelligence? Can we review the process or tools you use (e.g., threat reports)?
  2. Can we discuss recent threat intelligence findings and how they're acted upon (e.g., action plans)?
  3. How do you ensure threat intelligence is current? Can we see update schedules (e.g., subscription renewals)?

Information Security in Project Management

A.5.8
  1. How is security integrated into project management? Can we review a policy or project plan together (e.g., project checklist)?
  2. Can we discuss a recent project where security was applied (e.g., project documentation)?

Inventory of Information and Other Associated Assets

A.5.9
  1. Is there an up-to-date inventory of assets like data and hardware? Can we go through it (e.g., asset register)?
  2. How are assets identified and tracked? Can we discuss the process (e.g., tracking system)?
  3. How do you verify the inventory's accuracy? Can we see verification records (e.g., audit reports)?

Acceptable Use of Information and Other Associated Assets

A.5.10
  1. Are there rules for acceptable use of assets? Can we review the policy together (e.g., AUP document)?
  2. How are these rules communicated to staff? Can we talk about your approach (e.g., training records)?
  3. How do you enforce these rules? Can we see enforcement examples (e.g., violation logs)?

Return of Assets

A.5.11
  1. How do you ensure assets are returned when personnel leave? Can we review the process (e.g., exit checklist)?
  2. Are there records of asset returns? Can we look at some examples (e.g., return forms)?

Classification of Information

A.5.12
  1. How is information classified (e.g., confidential, public)? Can we see the classification policy (e.g., classification guide)?
  2. Can we discuss examples of classified information in use (e.g., labeled documents)?
  3. How do you ensure classification is consistent? Can we review training or checks (e.g., staff training records)?

Afternoon Session: Access, Suppliers & Cloud (A.5.13–A.5.23)

Labelling of Information

A.5.13
  1. How is information labeled based on its classification? Can we review the labeling procedure (e.g., labeling guidelines)?
  2. Can we look at some labeled examples, like files or emails (e.g., sample emails)?

Information Transfer

A.5.14
  1. Are there rules for transferring information internally and externally? Can we review the policy (e.g., transfer procedure)?
  2. How are these rules enforced? Can we discuss how transfers are managed (e.g., transfer logs)?
  3. How do you handle transfer violations? Can we see examples (e.g., incident reports)?

Access Control

A.5.15
  1. Is there an access control policy? Can we review it together (e.g., access policy document)?
  2. How do you ensure access is granted based on business needs? Can we discuss the process (e.g., access request forms)?
  3. How are access controls monitored? Can we see monitoring methods (e.g., access logs)?

Identity Management

A.5.16
  1. How are user identities managed, including creation and modification? Can we go over the process (e.g., identity management system)?
  2. Can we discuss recent identity management activities you've handled (e.g., user creation logs)?

Authentication Information

A.5.17
  1. How is authentication information, like passwords, allocated and protected? Can we review the policy (e.g., password policy)?
  2. Are there controls to prevent reuse or sharing? Can we talk about how this works (e.g., system settings)?

Access Rights

A.5.18
  1. How are access rights assigned, reviewed, and revoked? Can we review the procedure (e.g., access review process)?
  2. Can we discuss recent access rights reviews you've conducted (e.g., review reports)?
  3. How do you ensure timely revocation? Can we see examples (e.g., termination logs)?

Information Security in Supplier Relationships

A.5.19
  1. How do you address security in supplier relationships? Can we look at a sample agreement (e.g., supplier contract)?
  2. Are supplier security requirements defined? Can we review them together (e.g., requirement list)?
  3. How do you ensure suppliers meet these requirements? Can we discuss your approach (e.g., supplier audits)?

Addressing Information Security Within Supplier Agreements

A.5.20
  1. Do supplier agreements include specific security clauses? Can we review some examples (e.g., contract clauses)?
  2. How do you verify supplier compliance with these clauses? Can we discuss your monitoring approach (e.g., audit reports)?

Managing Information Security in the ICT Supply Chain

A.5.21
  1. How do you manage security risks in the ICT supply chain? Can we go over the process (e.g., supply chain risk plan)?
  2. Can we discuss how you check supply chain security (e.g., supplier assessments)?

Monitoring, Review, and Change Management of Supplier Services

A.5.22
  1. How do you monitor supplier security performance? Can we review your monitoring methods (e.g., performance reports)?
  2. How are changes to supplier services managed? Can we talk about recent changes (e.g., change logs)?
  3. How do you ensure security during supplier changes? Can we see examples (e.g., risk assessments)?

Information Security for Use of Cloud Services

A.5.23
  1. How do you ensure security when using cloud services? Can we review the policy or risk assessment (e.g., cloud security policy)?
  2. Can we discuss the cloud security controls you've implemented (e.g., cloud configs)?
  3. How do you monitor cloud service security? Can we see monitoring methods (e.g., dashboards)?

Execution Plan for Day 2

Tips for Day 2