ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

7.1 EMPHASIZE SECURITY PRIOR TO EMPLOYMENT

7.1.1 VERIFY THE BACKGROUNDS OF ALL NEW PERSONNEL

CTRL Do you check the backgrounds of all candidates for employment? Y N X

CTRL Do you make sure that background verifications comply with all Y N X
relevant laws and regulations and with all relevant ethical standards?

CTRL Do you make sure that background verifications take your Y N X

unique security risks and requirements into consideration?

CTRL Do you perform more rigorous background verification Y N X

checks whenever the perceived security risk is greater?

CTRL Do you perform more rigorous background checks on Y N X

people who will be handling sensitive information?

GUIDE Do you respect all relevant legislation when you do background checks? Y N X

GUIDE Do you consider privacy legislation when verifications are done? Y N X

GUIDE Do you protect all relevant personally identifiable information? Y N X

GUIDE Do you inform candidates beforehand when legally required? Y N X

GUIDE Do you consider employment legislation when verifications are done? Y N X

GUIDE Have you established personnel background verification procedures? Y N X

GUIDE Did you define how background verifications should be performed? Y N X

GUIDE Did you define background verification criteria and clarify limitations? Y N X

GUIDE Did you clarify who is allowed to do background verifications? Y N X

GUIDE Did you clarify when background verifications should be done? Y N X

GUIDE Did you clarify why background verifications are important? Y N X

GUIDE Have you established a process for screening contractors? Y N X

GUIDE Do you use agreements to ensure that screening takes place? Y N X

GUIDE Do you specify contractor screening duties and responsibilities? Y N X

GUIDE Do you create notification procedures to address screening issues? Y N X

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 23
 ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

GUIDE Do you clarify what must be done when problems are discovered? Y N X

GUIDE Do you clarify what must be done when screening isnt completed? Y N X

GUIDE Do you check the personal history of all candidates? Y N X

GUIDE Do you check the candidates personal identity? Y N X

GUIDE Do you check the candidates character references? Y N X

GUIDE Do you check the candidates financial credit history? Y N X

GUIDE Do you check to see if candidate has a criminal record? Y N X

GUIDE Do you verify the professional history of all candidates? Y N X

GUIDE Do you verify the candidates curriculum vitae (rsum)? Y N X

GUIDE Do you verify its completeness and accuracy? Y N X

GUIDE Do you verify the candidates qualifications? Y N X

GUIDE Do you verify the candidates occupational qualifications? Y N X

GUIDE Do you verify the candidates academic qualifications? Y N X

GUIDE Do you determine the suitability of all information security candidates? Y N X

GUIDE Do you verify the competence of information security candidates? Y N X

GUIDE Do you verify the trustworthiness of information security candidates? Y N X

GUIDE Do you do more checks if candidates will handle confidential information? Y N X

GUIDE Do you do more detailed checks for both new hires and promotions? Y N X

GUIDE Do you check more if information processing facilities will be accessed? Y N X

7.1.2 USE CONTRACTS TO PROTECT YOUR INFORMATION

CTRL Do you use contractual terms and conditions to specify Y N X

your organizations information security responsibilities?

CTRL Do you use contractual terms and conditions to specify Y N X

your employees information security responsibilities?

CTRL Do you use contractual terms and conditions to specify Y N X

your contractors information security responsibilities?

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 24
 ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

GUIDE Do you draft confidentiality and nondisclosure agreements (see 13.2.4)? Y N X

GUIDE Do you ensure that agreements comply with your security policies? Y N X

GUIDE Do you prepare suitable confidentiality and nondisclosure agreements? Y N X

GUIDE Do you clarify information security obligations and responsibilities? Y N X

GUIDE Do you clarify all relevant legal obligations and responsibilities? Y N X

GUIDE Do you clarify copyright and data protection laws (18.1.2, 18.1.4)? Y N X

GUIDE Do you clarify how other peoples information must be handled? Y N X

GUIDE Do you safeguard information received from external parties? Y N X

GUIDE Do you safeguard information received from other companies? Y N X

GUIDE Do you clarify asset protection obligations and responsibilities (8)? Y N X

GUIDE Do you ensure that information is appropriately classified? Y N X

GUIDE Do you ensure that information services are properly protected? Y N X

GUIDE Do you ensure that information processing facilities are safeguarded? Y N X

GUIDE Do you clarify what happens if security requirements are disregarded? Y N X

GUIDE Do you clarify the actions and legal steps that will be taken (7.2.3)? Y N X

GUIDE Do you tell job candidates that they will be expected to sign agreements? Y N X

GUIDE Do you clarify their specific duties during the pre-employment process? Y N X

GUIDE Do you clarify their information security roles and responsibilities? Y N X

GUIDE Do you explain that obligations may continue after job ends (see 7.3)? Y N X

GUIDE Do you ensure that agreements are signed before access is allowed? Y N X

GUIDE Do you ask both employees and contractors to sign agreements? Y N X

GUIDE Do you ensure that terms and conditions are appropriate to the job? Y N X

GUIDE Do you ensure that they agree with your terms and conditions? Y N X

GUIDE Do you use contractual agreements to protect confidential information? Y N X

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 25
 ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

7.2 EMPHASIZE SECURITY DURING EMPLOYMENT

7.2.1 EXPECT YOUR MANAGERS TO EMPHASIZE SECURITY

CTRL Do you make sure that your managers require all employees to apply Y N X
your organizations information security policies and procedures?

CTRL Do you make sure that your managers require all contractors to apply Y N X
your organizations information security policies and procedures?

GUIDE Do you expect managers to act as information security role models? Y N X

GUIDE Do you expect managers to support policies, procedures, and controls? Y N X

GUIDE Do you expect managers to enforce security policies and procedures? Y N X

GUIDE Do you expect managers to motivate employees and contractors? Y N X

GUIDE Do you expect managers to control access to information and systems? Y N X

GUIDE Do you clarify security roles and responsibilities before allowing access? Y N X

GUIDE Do you provide information security briefings before granting access? Y N X

GUIDE Do you provide information security guidelines before granting access? Y N X

GUIDE Do you expect managers to make people aware of their responsibilities? Y N X

GUIDE Do you clarify information security responsibilities specific to each job? Y N X

GUIDE Do you expect people to achieve a suitable level of security awareness? Y N X

GUIDE Do you expect managers to enforce terms and conditions of employment? Y N X

GUIDE Do you expect all personnel to use the appropriate work methods? Y N X

GUIDE Do you expect managers to ensure that all personnel are competent? Y N X

GUIDE Do they ensure that people have the right skills and qualifications? Y N X

GUIDE Do they ensure that people continue to have the right knowledge? Y N X

GUIDE Do you expect managers to provide an anonymous reporting channel? Y N X

GUIDE Do you expect people to report security policy and procedure violations? Y N X

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 26
 ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

7.2.2 DELIVER INFORMATION SECURITY AWARENESS PROGRAMS

CTRL Do you make sure that your organizations employees Y N X

receive regular information security briefings and updates?

CTRL Do you make sure that employees are aware of your security policies Y N X

and procedures and are kept up-to-date with the latest changes?

CTRL Do you make sure that employees receive the information security Y N X

training and education they need to properly carry out their jobs?

CTRL Do you make sure that your organizations contractors Y N X

receive regular information security briefings and updates?

CTRL Do you make sure that contractors are aware of your security policies Y N X

and procedures and are kept up-to-date with the latest changes?

CTRL Do you make sure that your organizations contractors receive the Y N X

information security training and education they need to do their jobs?

GUIDE Have you established an information security awareness program? Y N X

GUIDE Did you ensure that the program complies with your security policies? Y N X

GUIDE Did you ensure that the program complies with your security procedures? Y N X

GUIDE Did you design and plan an information security awareness program? Y N X

GUIDE Did you think about the jobs people do and what you expect from them? Y N X

GUIDE Did you think about what employees should know about security? Y N X

GUIDE Did you think about what contractors should know about security? Y N X

GUIDE Did you think about what your awareness program should discuss? Y N X

GUIDE Did you think about your organizations specific security obligations? Y N X

GUIDE Did you think about what kinds of information should be protected? Y N X

GUIDE Did you think about your organizations information security controls? Y N X

GUIDE Did you think about your current information security controls? Y N X

GUIDE Did you think about newly adopted information security controls? Y N X

GUIDE Did you think about how your awareness program should be delivered? Y N X

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 27
 ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

GUIDE Did you consider using booklets and newsletters to raise awareness? Y N X

GUIDE Did you consider using campaigns to raise security awareness? Y N X

GUIDE Did you consider using classroom-based teaching methods? Y N X

GUIDE Did you consider using web-based learning methods? Y N X

GUIDE Did you consider using self-paced learning methods? Y N X

GUIDE Did you consider using distance learning methods? Y N X

GUIDE Did you think about how awareness activities should be scheduled? Y N X

GUIDE Did you consider scheduling regular security awareness activities? Y N X

GUIDE Do you schedule activities for new employees and contractors? Y N X

GUIDE Do you schedule activities for current employees and contractors? Y N X

GUIDE Do you schedule activities for people with new roles or positions? Y N X

GUIDE Do you provide training before people start their new jobs? Y N X

GUIDE Did you consider scheduling periodic security awareness sessions? Y N X

GUIDE Do you use your awareness program to talk about information security? Y N X

GUIDE Do you talk about your organizations approach to information security? Y N X

GUIDE Do you discuss managements commitment to information security? Y N X

GUIDE Do you explain whose information must be protected and why? Y N X

GUIDE Do you discuss the need to be accountable for actions and inactions? Y N X

GUIDE Do you explain why personal accountability is so important? Y N X

GUIDE Do you talk about relevant information security rules and regulations? Y N X

GUIDE Do you explain why they must be familiar with rules and regulations? Y N X

GUIDE Do you explain why they must comply with rules and regulations? Y N X

GUIDE Do you explain why they must comply with security policies? Y N X

GUIDE Do you explain why they must comply with security legislation? Y N X

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 28
 ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

GUIDE Do you explain why they must comply with security regulations? Y N X

GUIDE Do you explain why they must comply with security agreements? Y N X

GUIDE Do you explain why they must comply with security standards? Y N X

GUIDE Do you explain why they must comply with security contracts? Y N X

GUIDE Do you talk about your organizations information security expectations? Y N X

GUIDE Do you teach people about their information security responsibilities? Y N X

GUIDE Do you make employees aware of their security responsibilities? Y N X

GUIDE Do you explain how employees can meet their responsibilities? Y N X

GUIDE Do you make contractors aware of their security responsibilities? Y N X

GUIDE Do you explain how contractors can meet their responsibilities? Y N X

GUIDE Do you teach people about the information that must be protected? Y N X

GUIDE Do you teach people about your information security procedures? Y N X

GUIDE Do you teach people about your incident reporting procedures? Y N X

GUIDE Do you teach people about your information security controls? Y N X

GUIDE Do you teach people about your password security measures? Y N X

GUIDE Do you teach people about your malware control mechanisms? Y N X

GUIDE Do you teach people about your clear desk and screen policy? Y N X

GUIDE Do you teach people about how they can learn more about security? Y N X

GUIDE Do you explain who they can contact to get more information? Y N X

GUIDE Do you explain how they can access more security resources? Y N X

GUIDE Do you explain where they can get more training materials? Y N X

GUIDE Do you evaluate your information security awareness program? Y N X

GUIDE Do you see if it still complies with security policies and procedures? Y N X

GUIDE Do you update your information security awareness program? Y N X

GUIDE Do you base updates on lessons learned from security incidents? Y N X

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 29
 ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

7.2.3 SET UP A DISCIPLINARY PROCESS FOR SECURITY BREACHES

CTRL Have you established a formal disciplinary process to Y N X

handle employees who have committed a security breach?

CTRL Do you communicate your disciplinary process and make sure that Y N X

all employees are aware of what happens when security is breached?

GUIDE Did you design a formal disciplinary process to handle security breaches? Y N X

GUIDE Did you design a process that treats offenders fairly and correctly? Y N X

GUIDE Did you design a graduated process that requires a measured response? Y N X

GUIDE Do you consider the nature and the gravity of security breaches? Y N X

GUIDE Do you consider the impact security breaches have on business? Y N X

GUIDE Do you consider legal obligations and contractual requirements? Y N X

GUIDE Do you consider how much security training the offender has? Y N X

GUIDE Do you consider whether or not it is a first or repeat offence? Y N X

GUIDE Do you consider whether or not it is a deliberate breach? Y N X

GUIDE Do you apply your disciplinary process whenever a breach occurs? Y N X

GUIDE Do you collect evidence before you initiate a disciplinary process? Y N X

GUIDE Do you make sure that a breach has occurred before you take action? Y N X

GUIDE Do you use your disciplinary process to deter future security breaches? Y N X

GUIDE Do you make it clear that security violations will not be tolerated? Y N X

7.3 EMPHASIZE SECURITY AT TERMINATION OF EMPLOYMENT

7.3.1 EMPHASIZE POST-EMPLOYMENT SECURITY REQUIREMENTS

CTRL Have you defined information security responsibilities and duties that Y N X

remain valid after personnel are terminated or responsibilities change?

CTRL Do you communicate your post-employment information Y N X

security requirements to both employees and contractors?

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 30
 ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

7. PERSONNEL SECURITY MANAGEMENT AUDIT

CTRL Do you ensure that both employees and contractors clearly Y N X

understand what their information security responsibilities and

duties will continue to be even after they have been terminated
or their responsibilities have changed?

CTRL Do you enforce your organizations post-employment Y N X

information security expectations and requirements?

GUIDE Do you identify responsibilities still valid after termination of employment? Y N X

GUIDE Do you clarify which legal responsibilities remain valid after termination? Y N X

GUIDE Do you clarify which information security responsibilities remain valid? Y N X

GUIDE Do you clarify nondisclosure requirements that remain valid? Y N X

GUIDE Do you clarify confidentiality requirements that remain valid (13.2.4)? Y N X

GUIDE Do you clarify employment contract requirements that remain valid? Y N X

GUIDE Do you clarify how long security requirements are valid (7.1.2)? Y N X

GUIDE Do you clarify information security responsibilities when job duties change? Y N X

GUIDE Do you identify old responsibilities still valid after job duties change? Y N X

GUIDE Do you identify newly acquired information security responsibilities? Y N X

Answer each of the above questions. Three answers are possible: Y (yes), N (no), and X (eXclude). Y means you're in compliance,
N means you're not in compliance, while X means that this question can be excluded because its not applicable in your situation.
Y answers and X answers require no further action, while N answers point to security practices that need to be followed and
security controls that need to be implemented. Also, please use the column on the right to record your notes, and in the spaces
below, enter the name and location of your organization, who completed this page, who reviewed it, and the dates.

ORGANIZATION: YOUR LOCATION:

COMPLETED BY: DATE COMPLETED:

REVIEWED BY: DATE REVIEWED:

APR 2014 PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL EDITION 1.0

PART 7 COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. PAGE 31