ISMS – HR Internal Audit Questions

HR Processes:

 How is the segregation of duties in HR team? (Charu alone - how much support is
extended by Indira)

 Is there a documentation of all the employee related information in one place?

(name, address, family details, Aadhar info) - How secure is it?

 Is there a procedure in place to ensure that evidences are protected?

 Did any incident happened where your mis place an employee file? (may be old
employee) - What is the security procedure set up there?

 When was the last time HR policies are reviewed / updated? any new policies in
place as per current situation - leaves for Covid employees / monetary benefits?

 How aware are the employees about the HR policies? (is there regular emails sent/
event conducted about policies& procedures)

 How is the employee information labelled with its classification / files? (When
someone suddenly asks for a dco do you have to see all files in your laptop ? or do
you keep it segregated?)

 How do you maintain authenticate information? (ex: hike letter, offer letters)

 How is the process different in joining process for 1 employee and 10 employees at a
time?

 What is monitored and measured continuously as per HR?

KEKA/ HR PORTAL:
 What significant changes happened that have prompted a risk assessment to be
carried out? (did we do this for KEAKA)

 Who has what kind of access to Keka/ HR portal? Is there a security code
system/otp?

 How are access rights reviewed and how often?

 What protection is in place from failures of supporting utilities (keka failure/laptop

failure)

 Does anyone else have the back up of the data?

 How regular do you keep your back ups ready (,monthly, quarterly?)

 Are the HR portal / Keka system admin activities logged and reviewed?

 How are leaves tracked? (in case employee missed to update?)

 Is there a mobile Keka APP? (Are employees aware of it - any frauds can happen with
it by turning off location?)

 What security measures in place to manage mobile devices risk?

Training Records:
 How often does HR conducts internal meetings with managers to understand the
training necessities of the org? (Planning employee development)

 How do you select personnel be trained on areas that improve performance and
product quality requirements

 What type of training does the organization offer? How frequently is the training
conducted? Is the training evaluated before and after? Is the training documented?

 How is training evaluated?

 What steps are taken when training is deemed ineffective?

 What types training records are maintained?

 What training is given to new employees

Separation Process
 What happens when an employee leaves? with respect to information security?

 What happens to access rights when someone leaves or moves?

 How is the access control policy implemented in KEka (ex logins / passwords)

 How do you remove employee from Keka after they leave?

 Termination process?

On Boarding Process
 What is the policy for On-boarding an employee?

 Is orientation happening for each employee joined? Is ISMS part of it?

 How is the Orientation program for new employees

BGV Checklists
 What Background verification checks are carried out on employment candidates?

 How is the information security covered in employment contracts?

 How are employees and contractors made aware of and trained in, on information
security issues?

 How are the documents of external origin handled (like certificates of employees
etc)

 Are there any process outsourced like BGV? How are those handled/controlled?

NDA Compliance:
 How are NDA's documented and shared with employees?

 How is supplier service delivery monitored, reviewed and audited?

 How are the changes made by suppliers managed and risk assessed?