Day 3: ISO 27001:2022 Audit Questionnaire (People & Physical Controls)

Focus Area: People Controls (A.6.1–A.6.8) & Physical Controls (A.7.1–A.7.14)

Objective: Collaboratively evaluate human-related security practices and physical protection measures to ensure staff and facilities support the ISMS effectively.

Personnel Needed: HR manager, staff representatives, facilities staff, security team

Total Questions: 62 (24 for People + 38 for Physical, averaging 2-3 per control)

Day 3 Schedule

9:00 AM - 12:00 PM

A.6.1–A.6.8

People Controls

12:00 PM - 1:00 PM

Lunch/Break

1:00 PM - 5:00 PM

A.7.1–A.7.14

Physical Controls

Morning Session: People Controls (A.6.1–A.6.8)

Screening

A.6.1
  1. How are background checks conducted for new employees, contractors, or third parties? Can we review the screening policy or process together (e.g., screening procedure)?
  2. Can we discuss recent screenings and how they're documented (e.g., background check reports)?
  3. How do you ensure screening meets legal and regulatory requirements? Can we see compliance checks (e.g., legal review records)?

Terms and Conditions of Employment

A.6.2
  1. Do employment contracts include information security responsibilities? Can we review a sample contract or clause together (e.g., employment agreement)?
  2. How are these terms communicated to employees? Can we see acknowledgment records (e.g., signed forms)?

Information Security Awareness, Education, and Training

A.6.3
  1. What security awareness and training programs are in place? Can we review the schedule or materials together (e.g., training slides)?
  2. How do you ensure all personnel receive relevant training? Can we see attendance or completion records (e.g., training logs)?
  3. How is training effectiveness evaluated? Can we discuss assessment methods (e.g., quiz results)?

Disciplinary Process

A.6.4
  1. Is there a disciplinary process for security policy violations? Can we review the policy or procedure together (e.g., disciplinary guidelines)?
  2. Can we discuss examples of disciplinary actions taken (e.g., anonymized incident reports)?

Responsibilities After Termination or Change of Employment

A.6.5
  1. How do you ensure security responsibilities continue post-employment (e.g., NDAs, asset return)? Can we review the termination process (e.g., exit checklist)?
  2. Can we look at records of recent terminations with security measures applied (e.g., exit forms)?
  3. How do you handle role changes affecting security access? Can we discuss examples (e.g., access change logs)?

Confidentiality or Non-Disclosure Agreements

A.6.6
  1. Are confidentiality or NDAs required for employees, contractors, or third parties? Can we review a sample agreement (e.g., NDA template)?
  2. How are these agreements enforced and monitored? Can we see renewal or violation records (e.g., monitoring logs)?

Remote Working

A.6.7
  1. How is security ensured for remote working? Can we review the remote work policy or controls together (e.g., remote access policy)?
  2. What technical measures are in place for remote work? Can we discuss examples (e.g., VPN configs)?
  3. How are remote workers trained on security practices? Can we see training evidence (e.g., training records)?

Information Security Event Reporting

A.6.8
  1. How are employees encouraged to report security events? Can we review the reporting procedure or awareness materials (e.g., reporting guide)?
  2. Can we discuss examples of recent event reports (e.g., incident logs)?
  3. How are reports handled and escalated? Can we see the process or escalation records (e.g., escalation tickets)?

Afternoon Session: Physical Controls (A.7.1–A.7.14)

Physical Security Perimeters

A.7.1
  1. How are physical security perimeters defined to protect sensitive areas? Can we review site plans or specs together (e.g., facility layout)?
  2. Are these perimeters regularly inspected? Can we discuss inspection practices (e.g., maintenance logs)?
  3. How do you ensure unauthorized access is prevented? Can we see controls in action (e.g., locked gates)?

Physical Entry Controls

A.7.2
  1. What controls restrict entry to secure areas? Can we review the entry control policy or system together (e.g., keycard system)?
  2. How are entry logs maintained and reviewed? Can we look at recent logs (e.g., access logs)?
  3. How do you handle visitor access? Can we discuss the procedure (e.g., visitor register)?

Securing Offices, Rooms, and Facilities

A.7.3
  1. How are offices and rooms secured against unauthorized access? Can we review security measures (e.g., lock schedules)?
  2. Are these areas monitored? Can we see monitoring methods (e.g., camera logs)?

Physical Security Monitoring

A.7.4
  1. What systems monitor physical security (e.g., CCTV, alarms)? Can we review the monitoring setup (e.g., system configs)?
  2. How are monitoring records stored and reviewed? Can we look at examples (e.g., footage logs)?

Protecting Against Physical and Environmental Threats

A.7.5
  1. How do you assess and protect against threats like fire or flood? Can we review the risk assessment or mitigation plan (e.g., threat analysis)?
  2. What protective measures are in place? Can we discuss examples (e.g., fire suppression systems)?
  3. When were these measures last tested? Can we see test records (e.g., test reports)?

Working in Secure Areas

A.7.6
  1. Are there designated secure areas for sensitive work? Can we review a list or map (e.g., secure area map)?
  2. What rules govern working in these areas? Can we discuss the policy (e.g., secure area rules)?

Clear Desk and Clear Screen

A.7.7
  1. Is there a clear desk and clear screen policy? Can we review it together (e.g., policy document)?
  2. How is compliance monitored? Can we discuss methods (e.g., spot check records)?

Equipment Siting and Protection

A.7.8
  1. How is equipment placed to reduce risks? Can we review siting guidelines or layouts (e.g., equipment placement plan)?
  2. What protections prevent damage or theft? Can we see examples (e.g., equipment locks)?

Security of Assets Off-Premises

A.7.9
  1. How are assets protected when off-site? Can we review the off-site security policy (e.g., laptop security rules)?
  2. What controls track or secure off-premises assets? Can we discuss examples (e.g., tracking logs)?
  3. How do you handle lost or stolen off-site assets? Can we see examples (e.g., incident reports)?

Storage Media

A.7.10
  1. How is storage media managed and protected? Can we review the media handling policy (e.g., media procedure)?
  2. Are there controls for media in transit or storage? Can we discuss examples (e.g., encryption logs)?

Supporting Utilities

A.7.11
  1. How do you ensure utilities support security? Can we review the utility protection plan (e.g., power backup plan)?
  2. Are there backup systems in place? Can we see examples (e.g., generator test logs)?

Cabling Security

A.7.12
  1. How are cables protected from tampering or damage? Can we review cabling security measures (e.g., cabling layout)?
  2. How are cabling issues detected and fixed? Can we discuss examples (e.g., maintenance logs)?

Equipment Maintenance

A.7.13
  1. How is equipment maintained to ensure security? Can we review the maintenance schedule or policy (e.g., maintenance plan)?
  2. Can we discuss recent maintenance activities (e.g., maintenance records)?

Secure Disposal or Reuse of Equipment

A.7.14
  1. What's the process for securely disposing of or reusing equipment? Can we review the disposal policy (e.g., disposal procedure)?
  2. How do you ensure data is removed before disposal/reuse? Can we see examples (e.g., wipe logs)?
  3. Can we discuss recent disposals (e.g., disposal records)?

Execution Plan for Day 3

Tips for Day 3