ISO IEC 27002 2005*
 INFORMATION SECURITY AUDIT TOOL

*ISO IEC 27002 2005 was previously known as ISO IEC 17799 2005.
However, nothing else has changed. The content is the same.

 

 

RELATED RESOURCE LIBRARIES

ISO 27001 Information Security Management Library

ISO 27002 (17799) Information Security Management Library

NFPA 1600 Business Continuity Management Library

ISO 90003 Software Quality Management Library

 

ISO 27002 (17799) Information Security Audit

The following material will describe our ISO IEC 27002 2005 (17799) Information
  Security Audit Tool (Title 38).  However, it will not present the complete product.
Instead, it will show you how our plain English Security Audit Tool is
 organized and it will introduce our approach. Once you've examined our
approach, we hope you'll consider purchasing our complete
ISO IEC 27002 2005 Information Security Audit Tool.

We begin with a table of contents. It shows how we've organized our
Auditing Tool. In order to illustrate our approach, we also provide sample
audit questionnaires. The complete Auditing Tool is 257 pages long and has
11 questionnaires made up of several hundred audit questions. One questionnaire
is provided for each of the eleven sections (5 to 15) that make up the standard.

For each audit question, three answers are possible: Yes, No, and N/A.  A Yes
answer means you're in compliance with the standard, a No answer means you're
not in compliance, and an N/A answer means that the question is not applicable
in your situation. Yes answers identify security practices that are already being
followed. They require no further action. In contrast, No answers point to security
practices that need to be implemented and actions that should be taken. Each
No answer points to an information security recommendation. Each No answer
reveals a gap that exists between the ISO 27002 standard and your practices.

Our audit questionnaires can be used to identify the gaps that exist between
ISO's security standard and your organization's security practices. As a result,
our audit tool can also be used to perform a very detailed gap analysis. Once
you've filled all the gaps, you can be assured that you've done everything
humanly possible to protect your information assets.  If you use our
Information Security Audit Tool you will not only comply with ISO's
many security requirements but you will also improve the overall
performance of your information security program.

ISO 17799 Information Security Audit

If you purchase our ISO 27002 Information Security Audit Tool,
you'll find that it's integrated, detailed, exhaustive, and easy to
understand. You'll find that we've worked hard to create a
high quality product. In fact, we guarantee the quality!

ISO 17799 Information Security Audit Program

 

ISO IEC 27002 (17799)
 INFORMATION SECURITY AUDIT TOOL

(TITLE 38)
TABLE OF CONTENTS
 
PART   PAGE
1 Audit Profile 3
2 Audit Summary 4
3 Introduction to Audit 5
4 Outline of Audit Process 6
5 Security Policy Management Audit 14
6 Corporate Security Management Audit 21

7

 Organizational Asset Management Audit (pdf) <<SAMPLE
8 Human Resource Security Management Audit (html)  <<SAMPLE
9 Physical and Environmental Security Management Audit (pdf)  <<SAMPLE
10 Communications and Operations Management Audit 101
11 Information Access Control Management Audit 153
12 Information Systems Security Management Audit 188
13 Information Security Incident Management Audit 215
14 Business Continuity Management Audit 226
15 Compliance Management Audit 240
16 Legal and Contact Information 256
SEPT 2007 COPYRIGHT Ó 2007 BY PRAXIOM RESEARCH GROUP LIMITED  VERSION 4.0
The following material presents a sample of our audit questionnaires. 
 

ISO IEC 27002 2005
INFORMATION SECURITY AUDIT TOOL
 (PRODUCT SAMPLE BASED ON TITLE 38)
8. HUMAN RESOURCE SECURITY MANAGEMENT AUDIT
 
8.1 EMPHASIZE SECURITY PRIOR TO EMPLOYMENT COMMENTS  
1 GOAL Have you reduced the risk of theft, fraud, or misuse of facilities by making sure that all prospective employees understand their responsibilities before you hire them? YES NO N/A    
2 GOAL Have you reduced the risk of theft, fraud, or misuse of facilities by making sure that all prospective contractors understand their responsibilities before you hire them? YES NO N/A    
3 GOAL Have you reduced the risk of theft, fraud, or misuse of facilities by making sure that all third-party users understand their responsibilities before you allow them to use your facilities? YES NO N/A    
4 GOAL Have you reduced the risk of theft, fraud, or misuse of facilities by making sure that all prospective employees are suitable given the roles that they will be asked to carry out? YES NO N/A    
5 GOAL Have you reduced the risk of theft, fraud, or misuse of facilities by making sure that all prospective contractors are suitable given the tasks that they will be carrying out? YES NO N/A    
6 GOAL Have you reduced the risk of theft, fraud, or misuse of facilities by making sure that all third party users are suitable before you allow them to use your facilities? YES NO N/A    
7 GOAL Do you use clear job descriptions to define the security responsibilities that new personnel will be carrying out? YES NO N/A    
8 GOAL Do you use employment terms and conditions to specify the security responsibilities that new personnel will be asked to carry out? YES NO N/A    
9 GOAL Do you screen all employees before you hire them, especially when they will be asked to perform sensitive jobs? YES NO N/A    
10 GOAL Do you screen all contractors before you hire them, especially when they will be asked to provide sensitive services? YES NO N/A    
11 GOAL Do you screen all third-party users, especially when they will be allowed to access sensitive information? YES NO N/A    
12 GOAL Do you ask prospective employees to sign agreements that specify what their security roles and responsibilities are? YES NO N/A    
13 GOAL Do you ask prospective contractors to sign agreements that specify what their security roles and responsibilities are? YES NO N/A    
14 GOAL Do you ask prospective third-party users to sign agreements that specify what their security roles and responsibilities are? YES NO N/A    
8.1.1 DEFINE SECURITY ROLES AND RESPONSIBILITIES COMMENTS  
15 CTRL Are your organization’s security roles and responsibilities defined in accordance with your information security policy? YES NO N/A    
16 CTRL Do you use your security role and responsibility definitions to implement your security policy? YES NO N/A    
17 CTRL Have you implemented your information security policy by expecting prospective employees to perform security roles and responsibilities? YES NO N/A    
18 CTRL Have you implemented your organization’s information security policy by expecting prospective contractors to perform security roles and responsibilities? YES NO N/A    
19 CTRL Have you implemented your organization’s information security policy by expecting third-party users to perform security roles and responsibilities? YES NO N/A    
20 CTRL Have you documented security roles and responsibilities? YES NO N/A    
21 GUIDE Do your security roles and responsibilities make it clear that all personnel must implement your organization’s information security policy? YES NO N/A    
22 GUIDE Do your security roles and responsibilities make it clear that all behavior must comply with your organization’s information security policy? YES NO N/A    
23 GUIDE Do your organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized access? YES NO N/A    
24 GUIDE Do your organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized disclosure? YES NO N/A    
25 GUIDE Do your organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized modification? YES NO N/A    
26 GUIDE Do your organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized destruction? YES NO N/A    
27 GUIDE Do your organization’s security roles and responsibilities make it clear that all assets must be protected from unauthorized interference? YES NO N/A    
28 GUIDE Do your security roles and responsibilities make it clear that all specified security activities and processes must be carried out? YES NO N/A    
29 GUIDE Do your security roles and responsibilities make it clear that responsibilities must be assigned to specific people? YES NO N/A    
30 GUIDE Do your security roles and responsibilities make it clear that specific people will be held accountable for their actions and inactions? YES NO N/A    
31 GUIDE Do your security roles and responsibilities make it clear that security risks must be reported to your organization? YES NO N/A    
32 GUIDE Do your security roles and responsibilities make it clear that security events must be reported to your organization? YES NO N/A    
33 GUIDE Do you communicate your organization’s security roles and responsibilities to job applicants during
the pre-employment process?		 YES NO N/A    
34 NOTE Do you communicate your organization’s security roles and responsibilities to all non-staff members? YES NO N/A    
35 NOTE Do you use job descriptions to document and communicate your organization’s security roles and responsibilities? YES NO N/A    
8.1.2 VERIFY THE BACKGROUNDS OF NEW PERSONNEL COMMENTS  
36 CTRL Do you check the backgrounds of all candidates for employment before you allow them to access your organization’s information? YES NO N/A    
37 CTRL Do you check the backgrounds of contractors before you allow them to access your organization’s information? YES NO N/A    
38 CTRL Do you check the backgrounds of third-party users before you allow them to access your organization’s information? YES NO N/A    
39 CTRL Do your background checks comply
with all relevant laws and regulations?		 YES NO N/A    
40 CTRL Do your background checks comply
with all relevant ethical standards?		 YES NO N/A    
41 CTRL Do you perform more rigorous background checks on people who will be accessing sensitive information? YES NO N/A    
42 CTRL Do you perform more rigorous background checks when the perceived security risk is greater? YES NO N/A    
43 CTRL Do your background checks meet your organization’s business requirements? YES NO N/A    
44 GUIDE Do your background checks comply with all relevant privacy legislation? YES NO N/A    
45 GUIDE Do your background checks comply with all
relevant labor and employment legislation?		 YES NO N/A    
46 GUIDE Do your background checks comply with all relevant personal data protection legislation? YES NO N/A    
47 GUIDE Do you check out the applicant’s character references? YES NO N/A    
48 GUIDE Do you verify the applicant’s curriculum vitae (résumé)? YES NO N/A    
49 GUIDE Do you verify the applicant’s professional qualifications? YES NO N/A    
50 GUIDE Do you verify the applicant’s academic qualifications? YES NO N/A    
51 GUIDE Do you verify the applicant’s personal identify? YES NO N/A    
52 GUIDE Do you carry out credit checks on new personnel? YES NO N/A    
53 GUIDE Do you check to see if applicants have criminal records? YES NO N/A    
54 GUIDE Do you perform more detailed background
checks on new hires who will be handling
sensitive or confidential information?		 YES NO N/A    
55 GUIDE Do you perform more detailed background checks on people who have been promoted to a position where they will be handling sensitive or confidential information? YES NO N/A    
56 GUIDE Have you established procedures
to control background checks?		 YES NO N/A    
57 GUIDE Do your background checking procedures define
how background checks should be performed?		 YES NO N/A    
58 GUIDE Do your background checking procedures define
who is allowed to carry out background checks?		 YES NO N/A    
59 GUIDE Do your background checking procedures define
when background checks may be performed?		 YES NO N/A    
60 GUIDE Do your background checking procedures define
why background checks should be performed?		 YES NO N/A    
61 GUIDE Do you use contracts to control how personnel agencies screen contractors on behalf of your organization? YES NO N/A    
62 GUIDE Do your personnel agency contracts define
notification procedures that agencies
must follow whenever background checks
identify doubts or concerns?		 YES NO N/A    
63 GUIDE Do agreements with third-party users define the notification procedures that must be followed whenever background checks identify doubts or concerns? YES NO N/A    
64 GUIDE Do your background checks comply with all relevant information collection and handling legislation? YES NO N/A    
65 GUIDE Do all candidates understand that background checks will be performed if legislation requires you to do so? YES NO N/A    
8.1.3 USE CONTRACTS TO PROTECT YOUR INFORMATION COMMENTS  
66 CTRL Do you use contractual terms and conditions to specify your organization’s information security responsibilities? YES NO N/A    
67 CTRL Do you use contractual terms and conditions to specify your employees’ information security responsibilities? YES NO N/A    
68 CTRL Do you use contractual terms and conditions to specify your contractors’ information security responsibilities? YES NO N/A    
69 CTRL Do you use contractual terms and conditions to specify third-party users’ information security responsibilities? YES NO N/A    
70 GUIDE Do your employment terms and conditions apply your organization’s information security policy? YES NO N/A    
71 GUIDE Do all new employees sign confidentiality or
nondisclosure agreements before you allow them to access sensitive information?		 YES NO N/A    
72 GUIDE Do all new contractors sign confidentiality or
nondisclosure agreements before you allow them to access sensitive information?		 YES NO N/A    
73 GUIDE Do all new third-party users sign confidentiality or nondisclosure agreements before you allow
them to use sensitive information?		 YES NO N/A    
74 GUIDE Do you use employment contracts to specify what
new employees’ legal rights and responsibilities are?		 YES NO N/A    
75 GUIDE Do you use contractual terms and conditions to specify what new contractors’ legal rights and responsibilities are? YES NO N/A    
76 GUIDE Do you use contractual terms and conditions to 
specify what your new third party users’ legal rights
and responsibilities are?		 YES NO N/A    
77 GUIDE Do you use contractual terms and conditions to state
how copyright laws must be respected and applied?		 YES NO N/A    
78 GUIDE Do you use contractual terms and conditions to
explain how data protection laws must be applied?		 YES NO N/A    
79 GUIDE Do you use employment contracts to state that
employees are expected to classify information?		 YES NO N/A    
80 GUIDE Do you use employment contracts to state
that employees are expected to handle and help control your organization’s information systems and services?		 YES NO N/A    
81 GUIDE Do you use your contractual terms and conditions to state that contractors are expected to handle and help control your information systems and services? YES NO N/A    
82 GUIDE Do you use your contractual terms and conditions to state that third-party users are expected to handle and help control information systems and services? YES NO N/A    
83 GUIDE Do you use employment contracts to explain how employees are expected to handle information received from other companies or external parties? YES NO N/A    
84 GUIDE Do you use contractual terms and conditions to explain how contractors are expected to handle information received from other companies or external parties? YES NO N/A    
85 GUIDE Do you use contractual terms and conditions to explain how third-party users are expected to handle information received from other companies or external parties? YES NO N/A    
86 GUIDE Do you use employment contracts to explain how your organization is legally obligated to manage and protect personal information? YES NO N/A    
87 GUIDE Do you use employment contracts to explain what employees must do to protect personal information? YES NO N/A    
88 GUIDE Do you use contracts to make it clear that personnel must protect your information even when they are working at home or outside of normal working hours? YES NO N/A    
89 GUIDE Do you use employment contracts to explain what will
be done if an employee disregards your organization’s security requirements?		 YES NO N/A    
90 GUIDE Do you use contracts to explain what will be done if
a contractor disregards your security requirements?		 YES NO N/A    
91 GUIDE Do you use contracts to explain what will be done if a third-party user disregards your security requirements? YES NO N/A    
92 GUIDE Do you use contractual terms and conditions to define
the security restrictions and obligations that control
how employees will use your assets and access
your information systems and services?		 YES NO N/A    
93 GUIDE Do you use contractual terms and conditions to define
the security restrictions and obligations that control
how contractors will use your assets and access
your information systems and services?		 YES NO N/A    
94 GUIDE Do you use contractual terms and conditions to define
the security restrictions and obligations that control how third-party users will use your assets and access your information systems and services?		 YES NO N/A    
95 GUIDE Do you use contractual terms and conditions to ensure that all personnel agree to comply with the information security restrictions and obligations that control how they use your assets and access your information systems and services? YES NO N/A    
96 GUIDE Do your security restrictions and obligations continue for a specified period after employment has been terminated? YES NO N/A    
97 GUIDE Do you use a code of conduct to describe the ethical obligations and responsibilities that employees, contractors, and third party users must accept? YES NO N/A    
98 GUIDE Do you use a code of conduct to describe the data protection obligations and responsibilities that employees, contractors, and third party
users must accept?		 YES NO N/A    
99 GUIDE Do you use a code of conduct to describe the confidentiality obligations and responsibilities that employees, contractors, and third party users must accept? YES NO N/A    
100 GUIDE Do you use a code of conduct to describe your tools
and equipment usage restrictions and expectations?		 YES NO N/A    
101 GUIDE Do you use a code of conduct to describe
facility use restrictions and expectations?		 YES NO N/A    
102 GUIDE Do you use a code of conduct to define reputable practices? YES NO N/A    
  Etcetera ... YES NO N/A    
   
ORGANIZATION: SCOPE OF AUDIT:
COMPLETED BY: DATE COMPLETED:
REVIEWED BY: DATE REVIEWED:
   
SEP 2007 COPYRIGHT Ó PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. VER 4.0
PART 8 HUMAN RESOURCE SECURITY MANAGEMENT AUDIT PAGE 64
 

If you would like to see the rest of this IT Audit
 questionnaire, please consider purchasing the complete
ISO 27002 2005 INFORMATION SECURITY AUDIT TOOL (Title 38).
 

ISO 27002 Information Security Audit

COPYRIGHT AUTHORIZATION

If you purchase our ISO 27002 2005 IT Security Audit Tool, you may make as many
copies as you need for use at one site or location within your own organization!

ISO 17799 Information Security Audit

ISO 17799 2005 Audit

Now that you know what our Information Security Audit
Tool looks like, please consider