Day 4: ISO 27001:2022 Audit Questionnaire (Technological Controls I)

Focus Area: Technological Controls (A.8.1–A.8.20)

Objective: Collaboratively assess core IT security controls, including endpoints, access, networks, and malware protection, to ensure robust technical safeguards within the ISMS.

Personnel Needed: IT manager, system admins, network engineers

Total Questions: 54 (averaging 2-3 per control, tailored to complexity)

Day 4 Schedule

9:00 AM - 1:00 PM

A.8.1–A.8.10

Endpoints, Access, Malware

1:00 PM - 2:00 PM

Lunch/Break

2:00 PM - 5:00 PM

A.8.11–A.8.20

Data, Networks

Morning Session: Endpoints, Access & Malware (A.8.1–A.8.10)

User Endpoint Devices

A.8.1
  1. How are user endpoint devices (e.g., laptops, phones) secured? Can we review the endpoint security policy together (e.g., endpoint policy)?
  2. What technical controls are in place? Can we discuss examples (e.g., encryption settings)?
  3. How is compliance monitored? Can we see monitoring methods (e.g., endpoint audit logs)?

Privileged Access Rights

A.8.2
  1. How are privileged access rights assigned and managed? Can we review the privileged access policy (e.g., access control policy)?
  2. Can we discuss recent privileged access assignments (e.g., assignment records)?
  3. How are these rights reviewed? Can we look at review processes (e.g., review logs)?

Information Access Restriction

A.8.3
  1. How is access to information restricted based on need? Can we review the access control policy (e.g., access lists)?
  2. Are there tools enforcing these restrictions? Can we see examples (e.g., system configs)?

Access to Source Code

A.8.4
  1. How is access to source code controlled? Can we review the source code access policy (e.g., code access rules)?
  2. Who has access, and how is it tracked? Can we discuss tracking methods (e.g., access logs)?

Secure Authentication

A.8.5
  1. What secure authentication methods are used (e.g., MFA)? Can we review the authentication policy (e.g., MFA policy)?
  2. How are authentication credentials protected? Can we see protection measures (e.g., encryption configs)?
  3. How are weak authentication attempts detected? Can we discuss detection methods (e.g., failed login logs)?

Capacity Management

A.8.6
  1. How do you monitor and manage IT system capacity? Can we review the capacity management process (e.g., capacity plan)?
  2. Can we discuss recent capacity monitoring activities (e.g., capacity reports)?

Protection Against Malware

A.8.7
  1. What measures protect against malware? Can we review the anti-malware policy or tools (e.g., AV configs)?
  2. How often are scans run, and what's done with findings? Can we see examples (e.g., scan logs)?
  3. How are malware incidents handled? Can we discuss recent cases (e.g., incident reports)?

Management of Technical Vulnerabilities

A.8.8
  1. How do you identify and manage technical vulnerabilities? Can we review the vulnerability management process (e.g., vuln mgmt plan)?
  2. Can we discuss recent vulnerability scans or patches (e.g., scan results)?
  3. How are critical vulnerabilities prioritized? Can we see prioritization methods (e.g., risk ratings)?

Configuration Management

A.8.9
  1. How are system configurations managed to ensure security? Can we review the configuration policy (e.g., config standards)?
  2. Can we look at examples of secure baseline configurations (e.g., server configs)?
  3. How are config changes tracked? Can we discuss tracking methods (e.g., change logs)?

Information Deletion

A.8.10
  1. How is information securely deleted when no longer needed? Can we review the deletion policy (e.g., data disposal policy)?
  2. What methods ensure permanent deletion? Can we see examples (e.g., wipe logs)?

Afternoon Session: Data & Networks (A.8.11–A.8.20)

Data Masking

A.8.11
  1. How is sensitive data masked where required? Can we review the data masking policy (e.g., masking guidelines)?
  2. What techniques are used (e.g., anonymization)? Can we discuss examples (e.g., masked data samples)?

Data Leakage Prevention

A.8.12
  1. What measures prevent data leakage? Can we review the DLP policy or tools (e.g., DLP configs)?
  2. How are leakage attempts detected and handled? Can we see examples (e.g., DLP logs)?

Information Backup

A.8.13
  1. How are backups managed to ensure availability? Can we review the backup policy (e.g., backup schedule)?
  2. Can we discuss recent backups and restores (e.g., backup logs)?
  3. How are backups protected? Can we see protection methods (e.g., encryption logs)?

Redundancy of Information Processing Facilities

A.8.14
  1. How is redundancy built into IT systems? Can we review the redundancy plan (e.g., redundancy design)?
  2. When was redundancy last tested? Can we discuss test outcomes (e.g., test records)?

Logging

A.8.15
  1. What events are logged (e.g., access, changes)? Can we review the logging policy (e.g., log settings)?
  2. How are logs protected and reviewed? Can we see examples (e.g., log samples)?
  3. How do you ensure logs are complete? Can we discuss verification methods (e.g., log audits)?

Monitoring Activities

A.8.16
  1. How are IT systems monitored for security? Can we review the monitoring process or tools (e.g., monitoring dashboard)?
  2. Can we discuss recent monitoring activities (e.g., monitoring reports)?

Clock Synchronization

A.8.17
  1. How are system clocks synchronized? Can we review the sync policy or setup (e.g., NTP configs)?
  2. Can we see evidence of synchronized timestamps (e.g., log timestamps)?

Use of Privileged Utility Programs

A.8.18
  1. How is the use of privileged utilities controlled? Can we review the policy (e.g., utility access rules)?
  2. Who can use them, and how is access tracked? Can we discuss tracking methods (e.g., utility logs)?

Installation of Software on Operational Systems

A.8.19
  1. How is software installation controlled? Can we review the software installation policy (e.g., install procedure)?
  2. Can we discuss recent installations (e.g., install records)?
  3. How are unauthorized installs prevented? Can we see prevention methods (e.g., system restrictions)?

Networks Security

A.8.20
  1. How are networks secured (e.g., firewalls, segmentation)? Can we review the network security policy (e.g., network policy)?
  2. Can we look at network configurations or diagrams (e.g., network maps)?
  3. How are network breaches detected? Can we discuss detection methods (e.g., intrusion logs)?

Execution Plan for Day 4

Tips for Day 4