Professional Documents
Culture Documents
Each control has a purpose, effectively taking the place of the control objective from the 2013
version
AUDITING ATTRIBUTE USE
1. The use of control attributes is not mandatory hence absence of attributes is not a non-conformity
2. Attributes are in ISO 27002 only, NOT in ISO 27001
3. If attributes in use
- Do they contribute in terms of control selection to manage risks?
- Do they use them for clarity on responsibilities?
- Are they using their own, and if so, for what purpose?
- Where are they capturing the attributes? SoA?
Control Description
The organization should provide a mechanism for
personnel to report observed or suspected
information security events through appropriate
channels in a timely manner.
Purpose
AUDITING AGAINST To support timely, consistent, and effective reporting
of information security events that can be identified
A.6.8 by personnel.
INFORMATION
SECURITY EVENT How
REPORTING Design and implement procedure, provide training and
promulgating email, telephone numbers
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Examine security event and Sample the reported events
incident procedures Interview or observe service
desk personnel on response to
security events
Purpose
To ensure only authorized physical access to
the organization’s information and other
AUDITING AGAINST associated assets occurs.
A.7.2 How
PHYSICAL ENTRY Security Guards, CCTVs, enhanced Patrolling
Sensors-May be difficult in leased or shared
premises
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Purpose
AUDITING AGAINST To ensure only authorized disclosure, modification,
removal, or destruction of information on storage
A.7.10 media.
STORAGE MEDIA
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review media handling policy Interview users on handling of
and procedures media
Review reuse and disposal Interview staff responsible for
procedures and sample media reuse/destruction
AUDITING AGAINST destruction records
Purpose
To protect information against the risks introduced by
using user endpoint devices.
AUDITING AGAINST
A.8.1
USER ENDPOINT
DEVICES
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review the policy on use of Interview a few users of laptops
laptops and mobile devices and check if they are aware of
the policies.
Purpose
AUDITING AGAINST To prevent exploitation of technical vulnerabilities.
A .8.8 How
M A NAGEMENT O F May be part of a broader organizational records
TE CHNICAL management approach
V ULNERABILITIES
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review vulnerability Interview systems
management policy and administrators
procedures responsible for patching
AUDITING AGAINST Review sources of Review the reports of
vulnerability information VA & Pentest carried
A.8.8 MANAGEMENT & sample penetration out
OF TECHNICAL testing reports
VULNERABILITIES Sample records of
risk/vulnerability
assessment decisions
Sample patching records
Control Description
Logs that record activities, exceptions, faults, and other
relevant events should be produced, stored, protected,
and analyzed.
Purpose
To record events, generate evidence, ensure the integrity
AUDITING AGAINST of log information, prevent unauthorized access, identify
information security events that can lead to an
A.8.15 information security incident, and to support
investigations.
LOGGING
How
This control relates to control A.5.12 regarding
information classification. A.5.12 shall be effective as a
precursor to this control.
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review the logging and Interview security
log retention policies management on the
analysis of logs
Sample logging settings Review the log records
AUDITING AGAINST
on key devices
Review log data location, Sample the access
A.8.15 storage, backup and privileges for logs
LOGGING archiving and the access
to such
Check that privileged
users do not have update
access to logging data –
sample some access lists
Control Description
Procedures and measures should be implemented to
securely manage software installation on operational
systems.
Purpose
To ensure the integrity of operational systems and
AUDITING AGAINST
prevent exploitation of technical vulnerabilities.
A .8.19
INSTA LLATION O F
SO F TWARE O N
O PE RATIONAL SYSTEMS
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review testing practices for new Interview systems
and changed applications administrators responsible
for installations
Review policies on software Sample the whitelisted
AUDITING AGAINST installation, whitelisting etc. software
Sample access controls on systems
A .8.19
Sample any software register
INSTA LLATION O F identifying vendor software
SO F TWARE O N
O PE RATIONAL Sample the currency of vendor
SYSTEMS software to ensure it is still
maintained
Control Description
Rules for the effective use of cryptography, including
cryptographic key management, should be defined
and implemented..
Purpose
To ensure proper and effective use of cryptography
AUDITING AGAINST
to protect the confidentiality, authenticity or integrity
of information according to business and information
A.8.24 security requirements, and taking into consideration
legal, statutory, regulatory and contractual
USE OF
requirements related to cryptography.
CRYPTOGRAPHY
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review the cryptographic Interview systems
policy administrators responsible
for management of digital
certificates and encryption
keys
AUDITING AGAINST Confirm encryption technology
was selected to meet business
A.8.24 objectives
Review any key management
USE OF procedures
CRYPTOGRAPHY Sample digital certificates to Sample the DSCs
validate currency
Sample the use of encryption Sample the data at rest and
on mobile devices also sample the data in
transit
Control Description
Information security requirements should be identified,
specified and approved when developing or
acquiring applications.
Purpose
To ensure all information security requirements are
AUDITING AGAINST identified and addressed when developing or acquiring
applications.
A.8.26
APPLICATION
SECURITY
REQUIREMENTS
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Check authentication and trust Interview security
mechanisms management re involvement
in app design
Sample design and Interview security
AUDITING AGAINST specifications documentation to management re privacy and
identify security considerations other regulatory requirements
Check what non-repudiation Interview application
A.8.26 mechanisms are in place for developers and systems
application transactions e.g. PKI architects regarding function
APPLICATION and data level security design
SECURITY Check transaction logging
REQUIREMENTS
Sample risk assessments of new
or changed applications
Control Description
Security testing processes should be defined and
implemented in the development life cycle.
Purpose
To validate if information security requirements are
met when applications or code are deployed to the
AUDITING AGAINST production environment.
A.8.29
SECURITY TESTING IN
DEVELOPMENT AND
ACCEPTANCE
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Examine testing procedures to Interview applications testing
ensure testing of security personnel
functions is conducted
Sample test plans and results Sample the unit, integration
tests for review
AUDITING AGAINST
Review how criteria for
acceptance of new systems are
A.8.29
defined, agreed, documented,
SECURITY TESTING IN and tested
Review any penetration test
DEVELOPMENT AND reports and action taken on
ACCEPTANCE outcomes
Sample risk assessments of new
or changed applications
Control Description
Development, testing and production environments
should be separated and secured.
Purpose
To protect the production environment and data from
compromise by development and test activities.
AUDITING AGAINST
A.8.31
SEPARATION OF
DEVELOPMENT, TEST
AND PRODUCTION
ENVIRONMENTS
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review the access control policy in Interview application development
relation to the various environments management on the presence of
development, test and production
environments
Sample access to confirm restricted Interview applications developers
AUDITING AGAINST access to each as per the access regarding separation of roles and
control policy? responsibilities
Purpose
To preserve information security when executing
AUDITING AGAINST changes..
A.8.32
CHANGE
MANAGEMENT
Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review change management Interview change manager on
procedure change control process