Day 5: ISO 27001:2022 Audit Questionnaire (Technological II & Wrap-Up)

Focus Area: Technological Controls (A.8.21–A.8.34) & Organizational Controls (A.5.24–A.5.37) & Wrap-Up

Objective: Collaboratively assess development-related technical controls, incident management, compliance processes, and finalize the audit with a review of findings and next steps.

Personnel Needed: IT developers, compliance officer, ISMS owner, top management

Total Questions: 70 (38 for Technological + 32 for Organizational, averaging 2-3 per control)

Day 5 Schedule

9:00 AM - 12:00 PM

A.8.21–A.8.34

Technological Controls

12:00 PM - 1:00 PM

Lunch/Break

1:00 PM - 3:00 PM

A.5.24–A.5.37

Organizational Controls

3:00 PM - 5:00 PM

Analysis & Closing Meeting

Findings & Next Steps

Morning Session: Technological Controls (A.8.21–A.8.34)

Security of Network Services

A.8.21

How do you secure network services (e.g., VPN, DNS)? Can we review the service security policy together (e.g., network service policy)?
Are security requirements defined for these services? Can we discuss examples (e.g., service configs)?
How is service security monitored? Can we see monitoring methods (e.g., service logs)?

Segregation of Networks

A.8.22

How are networks segmented (e.g., VLANs)? Can we review the segmentation policy or diagrams (e.g., network maps)?
How is segmentation enforced? Can we discuss enforcement methods (e.g., firewall rules)?

Web Filtering

A.8.23

How is web access filtered to prevent threats? Can we review the web filtering policy (e.g., filtering rules)?
What tools are used, and how are they set up? Can we see examples (e.g., filter configs)?

Use of Cryptography

A.8.24

How is cryptography used to protect data? Can we review the cryptography policy (e.g., encryption policy)?
Can we discuss examples of encrypted data or keys (e.g., key management logs)?
How are cryptographic keys managed? Can we see management practices (e.g., key records)?

Secure Development Life Cycle

A.8.25

How is security integrated into the SDLC? Can we review the SDLC policy (e.g., development process)?
Can we discuss a recent project with security steps (e.g., project docs)?
How are developers trained on security? Can we see training evidence (e.g., training records)?

Application Security Requirements

A.8.26

How are security requirements defined for applications? Can we review requirement documents (e.g., app security specs)?
How are these requirements implemented? Can we discuss examples (e.g., app configs)?

Secure System Architecture and Engineering Principles

A.8.27

Are secure architecture principles applied? Can we review the principles or policy (e.g., architecture guidelines)?
Can we discuss a system designed with these principles (e.g., system design docs)?

Secure Coding

A.8.28

How is secure coding enforced? Can we review the secure coding policy (e.g., coding standards)?
Can we discuss examples of code reviews or guidelines (e.g., review reports)?
How are coding flaws addressed? Can we see fix examples (e.g., bug fix logs)?

Security Testing in Development and Acceptance

A.8.29

How is security testing conducted during development? Can we review the testing process (e.g., test plan)?
Can we discuss recent test results (e.g., test reports)?
How are test failures resolved? Can we see resolution methods (e.g., fix records)?

Outsourced Development

A.8.30

How is security ensured in outsourced development? Can we review the outsourcing policy or contracts (e.g., dev contracts)?
How is outsourced work monitored? Can we discuss monitoring methods (e.g., audit reports)?

Separation of Development, Test, and Production Environments

A.8.31

How are dev, test, and prod environments separated? Can we review the separation policy (e.g., env separation rules)?
Can we see evidence of separation (e.g., network configs)?
How are breaches detected? Can we discuss detection methods (e.g., breach logs)?

Change Management

A.8.32

How are changes to systems managed? Can we review the change management process (e.g., change procedure)?
Can we discuss recent changes (e.g., change logs)?
How are security impacts assessed? Can we see examples (e.g., risk assessments)?

Test Information

A.8.33

How is test data protected? Can we review the test data policy (e.g., test data rules)?
Is real data avoided in testing? Can we discuss examples (e.g., test data samples)?

Protection of Information Systems During Audit Tests

A.8.34

How are systems protected during audits or tests? Can we review the protection policy (e.g., audit protection rules)?
Can we discuss protections from recent tests (e.g., test logs)?

Afternoon Session: Organizational Controls (A.5.24–A.5.37)

Information Security Incident Management Planning and Preparation

A.5.24

Is there an incident management plan? Can we review it together (e.g., incident plan)?
How do you prepare for incidents (e.g., training, testing)? Can we discuss preparation methods (e.g., test records)?
How is the plan kept current? Can we see update examples (e.g., revision logs)?

Assessment and Decision on Information Security Events

A.5.25

How do you assess security events to determine if they're incidents? Can we review the process (e.g., event assessment procedure)?
Can we discuss recent event assessments (e.g., assessment reports)?

Response to Information Security Incidents

A.5.26

What's the process for responding to incidents? Can we review it together (e.g., response procedure)?
Can we discuss recent incident responses (e.g., incident logs)?

Learning from Information Security Incidents

A.5.27

How do you analyze incidents to prevent recurrence? Can we review analysis methods (e.g., root cause reports)?
What improvements have resulted? Can we discuss examples (e.g., improvement plans)?

Collection of Evidence

A.5.28

How do you collect evidence during incidents? Can we review the procedure (e.g., evidence collection guide)?
Can we discuss examples of collected evidence (e.g., evidence logs)?

Information Security During Disruption

A.5.29

How do you ensure security during disruptions? Can we review the plan (e.g., disruption security plan)?
Has this been tested? Can we discuss test outcomes (e.g., test reports)?

ICT Readiness for Business Continuity

A.5.30

Are ICT systems ready to support continuity? Can we review the continuity plan (e.g., ICT continuity plan)?
When was this last tested? Can we see test examples (e.g., continuity test logs)?

Legal, Statutory, Regulatory, and Contractual Requirements

A.5.31

How do you identify applicable legal and regulatory requirements? Can we review the register (e.g., compliance register)?
How is compliance monitored? Can we discuss monitoring methods (e.g., compliance reports)?

Intellectual Property Rights

A.5.32

How do you protect intellectual property? Can we review the policy or controls (e.g., IPR policy)?
Are there records of IPR compliance checks? Can we see examples (e.g., IPR audit logs)?

Protection of Records

A.5.33

How are important records protected? Can we review the procedure (e.g., record protection rules)?
Can we discuss examples of protected records (e.g., backup logs)?

Privacy and Protection of PII

A.5.34

How do you protect personally identifiable information (PII)? Can we review the privacy policy (e.g., PII policy)?
Are there PII risk assessments? Can we discuss examples (e.g., PII risk reports)?

Independent Review of Information Security

A.5.35

When was the last independent security review? Can we review the report (e.g., review findings)?
How are review findings addressed? Can we discuss action plans (e.g., follow-up records)?

Compliance with Security Policies and Standards

A.5.36

How do you monitor compliance with security policies? Can we review monitoring methods (e.g., compliance dashboards)?
What happens when noncompliance is found? Can we discuss examples (e.g., noncompliance reports)?

Documented Operating Procedures

A.5.37

Are operating procedures for security controls documented? Can we review examples (e.g., procedure manuals)?
How are these procedures kept current? Can we discuss update methods (e.g., revision logs