5.

Policies for Information Security

1. Policies for information security: Can you provide documented policies governing
information security practices within your organization?
2. Information security roles and responsibilities: Are roles and responsibilities for
information security clearly defined and communicated throughout the organization?
3. Segregation of duties: How do you ensure segregation of duties to prevent unauthorized
access and fraud?
4. Management responsibilities: How does senior management demonstrate their
commitment to information security?
5. Contact with authorities: What procedures are in place for contacting authorities in the
event of an information security incident?
6. Contact with special interest groups: How does your organization manage contact with
special interest groups regarding information security matters?
7. Threat intelligence: How is threat intelligence gathered, analyzed, and used to enhance
your organization's security posture?
8. Information security in project management: What measures are taken to integrate
information security into project management processes?
9. Inventory of information and other associated assets: How do you maintain an
inventory of information assets and associated risks?
10. Acceptable use of information and other associated assets: What measures are in
place to ensure employees adhere to acceptable use policies for information assets?
11. Return of assets: How are information assets retrieved and secured when employees
leave or assets are decommissioned?
12. Classification of information: How is information classified based on its sensitivity and
criticality?
13. Labelling of information: What procedures are followed to label and handle classified
information appropriately?
14. Information transfer: How is sensitive information securely transferred within and
outside the organization?
15. Access control: What mechanisms are in place to control access to information and
systems based on roles and responsibilities?
16. Identity management: How is identity and access management implemented to ensure
appropriate access to resources?
17. Authentication information: How are users authenticated to ensure they are who they
claim to be?
18. Access rights: How are access rights granted, reviewed, and revoked based on business
needs and changes in roles?
19. Information security in supplier relationships: How do you manage information
security risks associated with third-party suppliers and vendors?
20. Addressing information security within supplier agreements: What clauses related to
information security are included in supplier agreements?
21. Managing information security in the ICT supply chain: How do you ensure security
across the information and communication technology supply chain?
22. Monitoring, review, and change management of supplier services: How are supplier
services monitored, reviewed, and managed for security compliance?
23. Information security for use of cloud services: How is information security managed
when using cloud services, including data protection and access controls?
 24. Information security incident management planning and preparation: Do you have a
documented incident management plan? How is it tested and updated?
25. Assessment and decision on information security events: How are information
security events assessed to determine their severity and impact?
26. Response to information security incidents: What procedures are followed to respond
to and contain information security incidents promptly?
27. Learning from information security incidents: How does your organization learn from
past incidents to improve future incident response and prevention?
28. Collection of evidence: What methods are used to collect and preserve evidence related
to information security incidents?
29. Information security during disruption: How is information security maintained
during business disruptions and continuity events?
30. ICT readiness for business continuity: How is ICT infrastructure prepared to support
business continuity and disaster recovery plans?
31. Legal, statutory, regulatory, and contractual requirements: How do you ensure
compliance with legal, statutory, regulatory, and contractual requirements related to
information security?
32. Intellectual property rights: How are intellectual property rights protected within your
information security framework?
33. Protection of records: What measures are in place to protect records and ensure their
integrity and confidentiality?
34. Privacy and protection of PII: How is personally identifiable information (PII)
protected against unauthorized access and disclosure?
35. Independent review of information security: How often is your information security
framework independently reviewed and audited?
36. Compliance with policies, rules, and standards for information security: How do you
ensure compliance with internal policies and external standards related to information
security?
37. Documented operating procedures: Are there documented operating procedures for
implementing and maintaining information security controls?

6. People Controls

38. Screening: What are the procedures for screening new employees regarding their
background and security clearances?
39. Terms and conditions of employment: How are terms and conditions of employment
enforced to include information security responsibilities?
40. Information security awareness, education, and training: How do you ensure
employees are trained and aware of their information security responsibilities?
41. Disciplinary process: What procedures are in place for addressing information security
violations and enforcing disciplinary actions?
42. Responsibilities after termination or change of employment: What procedures are
followed to revoke system access when employees leave or change roles?
43. Confidentiality or non-disclosure agreements: How are confidentiality agreements
enforced to protect sensitive information?
44. Remote working: How is information security maintained for employees working
remotely or accessing systems outside the office?
 45. Information security event reporting: How are employees encouraged to report
information security incidents promptly and accurately?

7. Physical Controls

46. Physical security perimeters: How are physical access controls enforced to prevent
unauthorized entry into secure areas?
47. Physical entry: What measures are in place to control and monitor physical entry into
buildings and facilities?
48. Securing offices, rooms, and facilities: How are offices, rooms, and facilities secured
against unauthorized access?
49. Physical security monitoring: How is physical security monitored to detect and respond
to suspicious activities?
50. Protecting against physical and environmental threats: How are facilities protected
against physical threats such as theft, vandalism, and natural disasters?
51. Working in secure areas: What procedures govern work conducted in secure areas to
ensure information security?
52. Clear desk and clear screen: How are clear desk and clear screen policies enforced to
prevent unauthorized access to sensitive information?
53. Equipment siting and protection: How are equipment and devices positioned and
protected to prevent unauthorized access and damage?
54. Security of assets off-premises: How are company assets protected when they are taken
off-site by employees?
55. Storage media: How is storage media used, managed, and disposed of to protect
sensitive information?
56. Supporting utilities: What measures are in place to secure supporting utilities (e.g.,
power, HVAC) to ensure continuity of operations?

8. Technological Controls

57. User endpoint devices: How are user endpoint devices secured against unauthorized
access and malware?
58. Privileged access rights: How are privileged access rights managed and monitored to
prevent unauthorized access?
59. Information access restriction: How is access to sensitive information restricted based
on user roles and responsibilities?
60. Access to source code: How is access to source code restricted to authorized personnel
only?
61. Secure authentication: What methods are used to ensure secure authentication for
accessing systems and data?
62. Capacity management: How is system capacity managed to ensure availability and
performance under varying loads?
63. Protection against malware: What measures are implemented to protect against
malware infections across your network and endpoint devices?
64. Management of technical vulnerabilities: How are technical vulnerabilities identified,
assessed, and mitigated to reduce risk?
65. Configuration management: How is configuration management used to maintain secure
and consistent system configurations?
66. Information deletion: How is sensitive information securely deleted or archived when
no longer needed?
67. Data masking: How is sensitive data masked or anonymized to protect privacy during
processing and storage?
68. Data leakage prevention: What measures are in place to prevent unauthorized data
leakage and ensure data integrity?
69. Information backup: How are critical information assets backed up and tested regularly
for recoverability?
70. Redundancy of information processing facilities: How are redundant information
processing facilities used to ensure continuity of operations?
71. Logging: What events and activities are logged, and how are logs protected against
unauthorized access and tampering?
72. Monitoring activities: How are system activities and network traffic monitored to detect
and respond to suspicious behavior?
73. Clock synchronization: How is clock synchronization maintained across systems and
networks for accurate event logging?
74. Use of privileged utility programs: How is the use of privileged utility programs
controlled and monitored to prevent misuse?
75. Installation of software on operational systems: What procedures govern the
installation of software on operational systems to prevent vulnerabilities?
76. Network security: How is network traffic monitored and controlled to protect against
unauthorized access and attacks?
77. Security of network services: What measures are in place to secure network services
(e.g., DNS, DHCP, email) against exploitation?
78. Segregation of networks: How are networks segregated to prevent unauthorized access
and limit the impact of security incidents?
79. Web filtering: How is web filtering used to restrict access to malicious or unauthorized
websites?
80. Use of cryptography: How is cryptography used to protect sensitive data during storage,
transmission, and processing?
81. Secure development life cycle: Can you describe the procedures followed to ensure
security is integrated throughout the software development life cycle?
82. Application security requirements: How are security requirements defined and
implemented for applications to prevent vulnerabilities?
83. Secure system architecture and engineering principles: How are secure system
architecture and engineering principles applied to mitigate security risks?
84. Secure coding: What measures are in place to ensure developers follow secure coding
practices to prevent vulnerabilities?
85. Security testing in development and acceptance: How is security testing conducted
during development and acceptance phases to identify and mitigate risks?
86. Outsourced development: How is security managed when development activities are
outsourced to third-party vendors?
87. Separation of development, test, and production environments: How are
environments segregated to prevent unauthorized access and maintain system integrity?
88. Change management: How are changes to systems and applications managed and tested
to ensure security and stability?
89. Test information: How is test information managed and protected during testing phases
to prevent exposure?
 90. Protection of information systems during audit testing: How are information systems
protected during audit testing to maintain confidentiality and integrity?
91. Secure disposal or reuse of equipment: How is equipment securely disposed of or
reused to prevent unauthorized access to data?
92. User management: How is user access managed and monitored to ensure only
authorized individuals have access to systems and data?
93. Asset management: How are information assets tracked, managed, and protected
throughout their lifecycle to prevent loss or unauthorized access?

These questions cover a comprehensive range of controls related to policies, people, physical
environment, and technological aspects of information security. Adjust them as per the specific
context and requirements of the audit being conducted.