ISO 27001 - Appendix A in Practice: Possible Audit Questions and Evidence For Selected Measures

Possible audit
questions and evidence

for selected measures
ISO 27001 -
Appendix A
in practice
ISO 27001 in practice - Annex A
In times when data and information are traded like rare commodities, their protection is indispensable. An optimal basis for the effective
implementation of a holistic security strategy is provided by a well-structured information security management system (ISMS) in accordance with the
ISO 27001 standard. This is an internationally recognized standard for information security in private, public or non-profit organizations that not
only addresses the aspects of IT security.
An information security management system according to ISO 27001 defines requirements, rules and methods for ensuring the security of
information in the company that requires protection. The standard provides a model for introducing, implementing, monitoring and improving the level of
protection. The systematic approach helps to protect confidential company data against loss and misuse and to reliably identify potential risks for the
company, analyze them and make them controllable through appropriate measures. Particularly valuable for practice is the implementation of the
measures in Annex A of the standard, to which DQS has dedicated this practical guide.
Practical Annex A of ISO 27001 The term "measure

In addition to the management system-oriented requirements section The statements referred to as "measures" in Appendix A are actually individual
(chapters 4 to 10), the standard contains the following in Annex A targets that describe what a standard-compliant outcome of appropriate
across 14 chapters (individual) measures should look like.
A comprehensive list of 35 measure targets with 114 concrete
Measures relating to a wide variety of safety aspects. These measures
must be implemented as part of the management system, insofar as they Sources:
are relevant to your company. DIN EN ISO/IEC 27001:2017 Information technology - Security procedures -...
Information security management systems - Requirements (ISO/IEC
On the following pages, you will find a series of sample audit questions 27001:2013 including Cor 1:2014 and Cor 2:2015)
for selected measures from Appendix A (A5 to A8 and A15 to A18), the
fulfillment of which provides information about the status quo of your DIN EN ISO/IEC 27002:2017 Information technology - Security procedures - Guidance for
information security. The content of the audit questions conforms to information security measures.
ISO 27002 and thus provides a helpful link between the measures ISO 27002 can be seen as an extension of ISO 27001. This is because, while ISO 27001 specifies
and the guidance from the ISO 27002 Code of Practice. Implementation the measures to reduce security risks, ISO 27002 is a guideline that identifies ways to help
examples from practice, possible proofs and implement the measures required by ISO 27001.
exemplary key figures complete the guide in order to be able to reliably
identify possible need for action in the company.
1 | www.dqsglobal.com
ISO 27001 Annex A - Reference measure objectives
and reference measures
A.5 Information Security Policy
A.5.1 Specifications of the management for information security

Goal: Top management provides guidance and support for information security, in accordance with
business requirements and applicable laws.
Reference measure Good audit questions Implementation examples, evidence and key figures
A.5.1.1 .,/ Which legal requirements have you taken into account in The information security policy should always take
Information Security Policy the information security guidelines? into account all interested parties relevant to the
.,/ On what basis have you defined goals and principles company.
Measure:
for dealing with information security? It can have different characteristics in terms of
The company defines guidelines for
internal or external orientation.
information security. The top management .,/ What standards do you apply when assigning
releases these, publishes them and responsibilities and roles? Possible detection:
makes them known not only to the .,/ What criteria did you use to deal with deviations / .,/ Information Security Policy
employees but also to the relevant exceptions?
interested parties. Possible key figures:
.,/ How do you ensure that the guidelines are
publicized both internally and externally? / Documentation of the regular review of the
.,/ How did you identify your relevant interested information security policy,
parties? z. For example, as part of the annual
management
rating
A.5.1.2 .,/ What criteria do you use to determine the intervals between
scheduled reviews? .,/ occasion-related review of validity in the event
Review of information security policies
of new risks occurring.
Measure: .,/ How have you established authority and responsibility
The Company reviews the information for policy review?
security policies at scheduled intervals or .,/ What method do you use to perform the tests?
when significant changes occur, with the intent .,/ How do you evaluate the significance of changes?
of ensuring their continued suitability, .,/ How do you determine the adequacy of a policy?
adequacy and effectiveness.
.,/ Is the information security policy up to date?
A.6 Information security organization
A.6.1 Internal organization

Goal: Top management has a framework for implementing and managing information security.
A.6.1.1 .,/ According to which criteria have you assigned or defined Role or competence matrix with reference to the
Information security roles and information roles and responsibilities? information security processes as well as role or
security responsibilities competence matrix with reference to the
.,/ How have you identified corporate values and information
authorizations granted, e.g. for ERP systems,
Measure: security processes to which roles and responsibilities
directories on drives, use of team rooms
The company defines and assigns are assigned?
responsibilities for information security. .,/ How have you ensured the competence to assume Possible detection:
responsibility of those persons who are assigned to the .,/ competence matrix with reference to the
individual authorization levels? access authorizations to information
.,/ How have you identified information security aspects with
regard to your supplier relationships? Possible key figure:
.,/ periodic or occasion-related checking of the
validity of authorizations
A.6.1.2 .,/ How have you identified tasks or areas of responsibility

Separation of duties that conflict with each other?
Measure: .,/ How have you ensured that a single person cannot both
Tasks and areas of responsibility that use and change company assets at the same time without
conflict with each other are separated. This permission?
reduces the possibility of unauthorized,
unintended changes or changes that could
lead to misuse of the company's assets.
A.6.1.3 .,/ Does a procedure exist that regulates when and how Establish a procedure for communicating with
Contact with authorities competent authorities or other relevant bodies are relevant external entities
contacted or the public informed in the event of an
Measure: Possible key figure:
information security incident?
The company maintains appropriate contacts
.../ Is it defined which authorities or other bodies are to be .,/ periodic or occasion-related review of the
with relevant authorities.
validity of the procedure.
contacted in the event of an information security
incident?
A.6.1.4 .,/ In which safety-oriented interest groups or forums is your

Contact with special interest groups company a member or does it maintain professional
contacts?
Measure:
The company maintains appropriate contacts .,/ How do you ensure that the understanding of your
with special interest groups or other safety- information security environment is always up-to-date and
oriented expert forums and professional comprehensive?
associations. .,/ Where do you get information security-related warnings
about possible attacks on information-processing
systems?
.,/ Do you regularly exchange information on new
technology or also possible weak points, e.g. in expert
forums or with professional associations?
A.6.1.5 .,/ Have you integrated information security objectives Establishment of a procedure. The information
Information security in project management into your project management across all phases? security requirements have been implemented in
Measure: .../ Do you carry out a risk assessment for information all projects.
The company takes information security into security at an early stage of a project in order to identify
Possible detection:
account in project management, regardless any (control) measures that may be necessary?
.,/ Project documentation
of the type of project.
Possible key figure:
.,/ regular, documented review by the
responsible assetowner of the process.
A.6.2 Mobile devices and teleworking
Goal: Information security is ensured both when teleworking and when using mobile devices.
A.6.2.1 .,/ Which essential aspects did you base your guideline for Creation of a guideline on the use of mobile
Mobile Device Policy the handling of mobile devices on? devices and teleworking
Measure: .,/ How do you ensure the registration of all mobile devices
Possible detection:
To deal with the risks arising from the use of used in the company?
.,/ monitoring of the mobile terminals through
mobile devices, an appropriate policy and .,/ What measures have you taken to physically protect
appropriate systems
supporting security measures are mobile devices?
implemented. .,/ Is there a restriction on the installation of software or apps Possible key figures:
on the devices? .,/ quotient: number of timely protected mobile
.,/ Are there access controls and protection against devices / total number of mobile devices
malware for mobile devices? .../ recording of violations against the established
.,/ Is the connection of mobile devices to information guideline in Incident Management
services restricted?
.,/ What are the rules for creating backups?
A.6.2.2 .,/ What criteria did you use as a basis for the guideline on
Telework the protection of information in telework?
Measure: .,/ What restrictions or conditions on telecommuting have
If information is accessed from teleworkplaces you included in the policy?
or if information is processed or stored there, .,/ How do you ensure the (physical) security of the respective
its protection must be ensured. The company telework environment?
has created a policy for this purpose and .,/ What measures have been taken to protect company
implemented supporting security measures. information stored or accessible at the teleworkstation
from unauthorized access?
.,/ What measures have been taken to protect against
attacks from the Internet?
What security measures do you have in place for the
transfer of information between the teleworkplace and
the company?
A.7 Personnel safety
A.7.1 Before employment

Goal: The company has ensured that employees and contractors understand their
responsibilities and are suited for their roles.
A.7.1.1 Does the company have a list of legal and ethical criteria that must Establishment of a procedure for hiring new
Safety check be observed when screening applicants? employees
Measure: .,/ How do you ensure that the security review is appropriate,
Applicants for employment receive a e.g. with regard to possible risks or to the company's
needs? .,/ periodic or occasion-related review of the
security clearance that is compliant
validity of the procedure.
with relevant laws, regulations and .,/ Are resumes, degrees and other documents from applicants
ethical principles. checked for plausibility and authenticity?
This review is necessary with a view to / If the applicant is to take on a role in the area of information
business requirements, the security: How do you ensure that the applicant can
classification of the information to be competently fulfill the role intended for him or her and is
obtained, and possible risks. trustworthy? Is information from social media also used in this
process?
Is there a procedure that regulates who in the company
performs the screenings, under what conditions and in what
way, without violating applicable laws?
A.7.1.2 How is it ensured that all employees and contractors with access Establishment of a Procedure
Employment and contract conditions to confidential information sign a confidentiality agreement?
Possible Evidence:
Measure: .../ Are all employees and contractors contractually obligated to
assume responsibility for compliance with copyright or data .,/ Verification that the
The responsibilities of employees,
protection issues, for example? confidentiality agreement has
contractors and the company towards
been acknowledged.
them are contractually agreed. .,/ Is it contractually regulated which responsibility employees
and contractors have to assume when dealing with
external information?
A.7.2 During employment
Goal: The company must ensure that employees and contractors alike are aware of and meet their
information security responsibilities.
A.7.2.1 How does top management encourage employees and contractors to Employee Training Curriculum Possible
Management responsibilities implement and apply the policies and procedures introduced in
connection with information security? Evidence:
Measure:
What mechanisms are used to check whether employees and .,/ training certificates
Top management encourages
employees and contractors to contractors comply with the requirements of top management
implement information security in regarding information security?
.,/ Number of safety incidents with human error
accordance with established How does management ensure that employees and contractors are
as cause
policies and procedures. aware of the company's information security policies and
procedures?
.,/ How are employees and contractors motivated to implement or
apply the policies and procedures?
A.7.2.2 .,/ What kind of professional education and training do you offer Employee Training Curriculum Possible
Information security awareness, your employees and contractors regarding information security?
education and training. Evidence:
.,/ At what intervals are internal information security policies and
procedures reviewed or updated? .,/ Interview of the employees on information
Measure:
security
In order to create an appropriate What other tools (events, publications, etc.) are used to raise
awareness of information security, awareness among employees and contractors about internal .,/ Workplace inspections
the company trains its employees information security policies and procedures? .../ Regular access to systems and services
and, if necessary, also contractors .../ In what form does top management, for its part, make a Possible key figure:
on professionally relevant topics commitment to information security?
and regularly updates its policies .,/ Number of safety incidents and violations with
.../ What concrete measures in your company are aimed at ensuring human error as the cause
and procedures.
that employees and contractors become familiar with internal
information security policies and procedures in the long term?
A.7.2.3 .,/ According to which criteria do you classify the severity of an Sanctioning of violations of the established
Measures process information security breach? guidelines of the company
Measure: .,/ What is the procedure for ad hoc dismissals?
Possible detection:
To enable action to be taken against .,/ When setting up the measure process, how did you
.,/ Evidence in the personnel file
employees in the event of breaches of ensure that it did not violate applicable laws?
information security, the company has .,/ Does the reprimand process contain measures that Possible key figures:
formally defined, established and motivate employees who have violated information .,/ Number of ad hoc redundancies
announced a disciplinary process. security in the long term to change their behavior in a .,/ number of disciplinary actions
positive way?
Notes:
A.7.3 Termination and change of employment
Goal: The process of changing / terminating employment contains the protection of the company's interests.
A.7.3.1 .../ Do the employment contracts contain agreements on Establishment of a procedure for dealing with leaves
Responsibilities upon termination or change how employees are to deal with continuing information of absence and transfers
of employment security-relevant responsibilities and duties after
termination or change of employment? Possible key figures:
Measure: Information security-related
.,/ How do you control whether these agreements are kept? .,/ control of the process by the human resources
responsibilities and duties that remain
department
after termination or change of .,/ How do you enforce compliance with continuing
employment have been defined, responsibilities and duties? .,/ Checking for completeness of returns of
communicated and are enforced. company-owned material.
Notes:
A.8 Value management
A.8.1 Responsibility for values

Goal: The corporate values are identified, appropriate responsibilities for their protection are defined.
A.8.1.1 .,/ How do you go about capturing valuable or mission- Creation of an asset list with reference to the type of
Inventory of the values critical information associated with information- protection requirement and the carrier medium for this
processing facilities? information.
Measure:
If information and other assets are .,/ How do you determine the life cycle of this information and
Possible detection:
related to information processing its concrete significance for the company?
.,/ list of assets of the company. Here, the need for
facilities, they are recorded, .,/ Is the inventory of information assets regularly checked
protection of the information must be inherited by the
inventoried and maintained. or updated for completeness?
information carriers (media)
Is the inventory also available for use by other areas of the
company, or is it linked to other inventories or lists for Possible key figure:
this purpose? Verification of the completeness and integrity of the asset
list, e.g. regular or ad hoc verification of the validity
and correctness of the asset information.
A.8.1.2 .,/ Are the identified information assets assigned to Linking asset list to information owners Possible metric:
Responsibility for values specific owners? .../ Verification of the completeness and integrity of
Measure: .,/ According to which criteria does this allocation take place? the asset list, e.g. periodic or event-related
All values listed in the inventory are .,/ How does the owner of information assets ensure that verification of the validity and correctness of the
assigned to a responsible person. they are actually inventoried and protected? asset information.
.,/ According to which criteria does the value owner define
access restrictions to (significant) values?
A.8.1.3 How do you make employees or external parties who use Newsletters, notices, emails Possible
Permissible use of values or have access to corporate assets with a connection to
information or information-processing facilities and evidence:
Measure:
sources aware of the applicable information security .,/ records of communication with employees and external
Rules for the permissible use of
requirements for these assets, and how do you parties on the importance of information security for
information and values associated
communicate them? the company.
with information-processing
equipment have been established, How is it ensured that the above-mentioned group of persons
is responsible for the use of information-processing Possible key figure:
documented and are applied.
facilities and sources in the company? .,/ review of notifications, this can be assessed as part
of the internal audit by the company.
A.8.1.4 .,/ How do you ensure that physical and electronic company Entry of the whereabouts of the physical and
Return values assets in the possession of employees or external electro- nomic assets of the company in a list
Measure: parties are returned to the company after termination of
Possible detection:
If company assets are held by employees or an employment, contract or agreement?
.,/ recording of all issued physical and electronic
external users, these assets are returned to How is it ensured that information stored on the user's own
company assets to ensure return.
the company upon termination of the devices or those that users take over (buy) from the
employment relationship, contract or company is transferred and then deleted from the Possible key figure:
agreement. devices?
.../ Verification of the completeness and integrity
of the asset list, e.g. periodic or occasion-
related verification of the validity
A.8.2 Information classification

Goal: Ensure that information receives an appropriate level of protection based on its importance to the organization.
A.8.2.1 .,/ How have you ensured that all information owners apply Definition of structures for the standardized
Information classification the same classification scheme for the individual creation of file names. Uniform definitions of
criteria? directory structures, identification of documents
Measure:
.,/ What method did you use to define the respective level of with regard to their confidentiality level.
Information is classified according to the
following criteria: protection for the criteria?
Possible detection:
.,/ legal requirements .,/ At what intervals do you check whether the classification is .,/ Review of the documents listed in the
.,/ their value still up to date?
classification scheme for compliance with the
.,/ their criticality .,/ To what extent are the classification results embedded in specifications.
the general company processes?
.,/ their susceptibility to unauthorized
disclosure.
.../ Verification of the completeness and integrity
.,/ possible changes
of the asset list, e.g. periodic or occasion-
related verification of the validity
A.8.2.2 .,/ What procedures do you follow for labeling information? Definition of structures for the standardized
Information labeling .,/ Is the classification of information basically part of the labeling? creation of file names. Uniform definitions of
directory structures, marking of documents with
Measure: .,/ How do you take into account the fact that the labeling of
regard to their confidentiality.
The Company has developed information makes it possible to identify it and thus to launch
and implemented appropriate attacks or Possible detection:
procedures for labeling Theft facilitated?
.,/ Review of the documents listed in the
information in accordance with its
classification scheme for compliance with
classification scheme for
the specifications.
information.
.,/ Verification of the completeness and integrity
of the asset list, e.g. periodic verification of
validity or on an ad hoc basis.
A.8.2.3 .,/ What criteria did you use to develop access restrictions to Walk-throughs of company premises in the
Dealing with values protect values? absence of employees, entry checks
Measure: .,/ How do you ensure that authorized recipients of values (the value
Possible detection:
The company has developed and owners) maintain or update formal records of values?
.,/ Review of the documents listed in the
implemented procedures for .,/ Do you make temporary or permanent copies of the values and
classification scheme for compliance with
handling values according to its protect them at the same level as the original values?
the specifications.
classification schema. .,/ Do you store IT-supported values in accordance with the
manufacturers' specifications? Possible key figure:
Do agreements exist for the exchange of information with other .,/ Survey of the number of safety incidents with
companies that contain procedures to ensure the mutual human error as the cause (failure to follow
identification of the respective classification of information? procedure).
A.8.3 Handling of data carriers
Objective: To prevent the unauthorized disclosure, modification, removal or
destruction of information stored on data carriers.
A.8.3.1 .,/ How do you ensure that information on removable media that is Application of deletion procedures depending on the
Removable media management no longer needed is deleted in a non-recoverable manner? level of confidentiality, destruction of data carriers,
.,/ How do you take into account the classification of the information? Insert
Measure:
Of locked containers for collecting documents for
The company has developed and Are there procedures in place to authorize and record the
confidential destruction.
implemented procedures for handling removal of data media from the company?
bill of exchange media according to .,/ Use to protect particularly sensitive data or Possible detection:
its classification scheme. Information on removable media cryptographic methods? .,/ procedure for deleting or destroying information
.,/ Do copies of the information exist on separate media to protect (as a paper document, as electronic information).
against loss or destruction?
Possible key figures:
.,/ Are all removable media that could be removed from the
company registered to reduce the risk of data loss? .,/ recording of the data carriers awaiting destruction
in a database
.,/ How have you ensured that every transfer of data or information to
removable media is logged? .,/ proof of destruction (target 100%)
A.8.3.2 .,/ Does a procedure exist according to which media that are no Procedures for disposal of media Possible
Media disposal longer required are disposed of in accordance with the
classification? evidence:
Measure:
.,/ Does the procedure enable objects to be identified that require .,/ procedural instruction
The company disposes of media that
are no longer needed using formal particularly safe disposal? .,/ Walk-throughs of archive rooms
procedures. .,/ If not disposed of by the company itself: According to which .,/ Inspection of storage areas
criteria are external service providers selected for the disposal .,/ Workplace inspections
of media?
.,/ Inspection of the disposal containers
.,/ Is the disposal of each data carrier logged?
.,/ Number of safety incidents with human error as
cause (non-observance of procedure)
A.8.3.3 .,/ What precautions have you taken to protect media during transport? Procedure for handling data carriers and
Physical transfer of media Are data carriers that contain sensitive but not cryptographically secured media during transport
Measure: information additionally protected against loss or unauthorized access
Possible detection:
The company protects media by special security measures?
.,/ procedural instruction
containing information from .,/ Does a list of trusted couriers exist for the transport of media?
unauthorized access, misuse or .,/ How do you ensure that data media to be transported are protected Possible key figure:
falsification during transport. from physical damage or other influences? .,/ Number of safety incidents with human error as
.,/ Do you keep records of the contents of the data carrier and its cause (non-observance of procedure)
protection, and record the time that elapses from sending to the
logged arrival at the destination?
Notes:
A.15 Supplier Relations
A.15.1 Information security in supplier relationships

Goal: The company protects assets that are accessible to suppliers.
A.15.1.1 .,/ Does the company have a policy that includes information security Establish a policy that addresses the risks of the
Information security policy for requirements to reduce risks arising from suppliers' access to information security aspects of dealing with
supplier relationships company assets? suppliers. Establish a list of company assets that
.,/ Does the policy contain measures that are specifically intended for are disclosed to suppliers, including an
Measure:
implementation in the company and others that are implemented assessment of the risks of such disclosure.
The company agrees with its
suppliers on information specifically at the supplier?
Possible evidence:
security requirements to reduce .,/ Have you identified and documented the different types of
.,/ current information security policy for
risks arising from suppliers' suppliers with which your company is associated?
supplier relationships.
access to company assets and .,/ Is the respective type of access to information granted to
documents them. .,/ standardized process for dealing with
suppliers defined, and is this monitored and controlled?
suppliers during the entire period of the
.,/ Is a minimum level of information security defined for each of the business relationship.
information accessible by suppliers as a basis for individual supplier
.,/ signed agreements on information security
agreements?
requirements.
.,/ For each type of supplier, their access or entry, do procedures or
measures exist to monitor implemented information security Possible key figures:
requirements, including third-party audits, product validation, .,/ regular review of the assessment of the
correctness and completeness controls? risk
.,/ Are corporate information protection obligations applicable to .,/ Number and results of supplier audits
suppliers identified?
.,/ Are mutual regulations / agreements made with regard to
resilience, recovery and unforeseeable cases, namely to ensure the
availability or processing of information?
.,/ Are the conditions recorded under which information security
requirements and corresponding measures are included in an
agreement signed by both parties?
A.15.1.2 .,/ Are specific information security requirements formulated and Inclusion of essential aspects for maintaining
Treatment of security in supplier agreed upon for the group of suppliers named in the measure? information security in the respective supplier
agreements Is there a description and classification of the information that is agreements.
Measure: provided or accessed?
Possible evidence:
Specific information security Does the agreement contain legal or regulatory requirements on topics
.,/ mutually signed agreements with suppliers
requirements are defined and such as data protection/data backup or copyrights, and is it
agreed upon with those suppliers described how compliance with these requirements is ensured? .,/ process for correcting deficiencies and
who have resolving conflicts
Does the agreement include a commitment by both parties to
.,/ have access to information of implement an agreed set of measures for access control, .,/ incident management with corresponding
the company, performance monitoring, reporting and audits? requirements
.,/ process, store or pass on Does a list of suppliers' personnel exist that shows who has Possible key figures:
information, authorized access to company information and who is allowed to
.,/ regular review as part of the internal audits
.,/ provide IT infrastructure receive information from the company?
by the asset owners responsible for the
components for it. Does an incident management system with corresponding process.
requirements exist, e.g. for cooperation in the elimination of an
.,/ Number of supplier audits
incident?
Has the company included the right to audit supplier processes and
measures related to the agreement?
.,/ Are processes for correcting deficiencies and resolving conflicts
implemented?
.,/ Has it been agreed with the supplier to report on the effectiveness of
measures at certain intervals and, if necessary, to correct named
problems promptly?
A.15.1.3 .,/ Have you reached an agreement with your suppliers on how to Inclusion of essential aspects for the inclusion of
Supply chain for information and deal with information security risks associated with information information security in production chains in the
communication technology and communication services and the product supply chain? respective supplier agreements
Measure: .,/ In addition to the general information security requirements for supplier
Possible evidence:
The company agrees with its relationships, have you defined requirements that apply to
information or communications technology products or to the .,/ signed agreements with suppliers
suppliers on requirements for
dealing with information procurement of corresponding services? .../ monitoring process that checks and evaluates
security risks associated with compliance with given safety requirements
Does the agreement include that suppliers pass on the information
information and security requirements for the company's products or services as with regard to delivered products or services
communication services and using acceptable methods.
required within the supply chain?
the product supply chain. Is a monitoring process implemented that uses acceptable methods to Possible key figures:
check and evaluate compliance with given safety requirements for .,/ regular review as part of the internal audits
delivered products or services? by the asset owners responsible for the
Is a process implemented to identify product or service components process.
that are critical to maintaining functionality and therefore require .,/ Number of supplier audits
increased attention?
.../ How is it ensured that critical components, including their origin, can
be traced through the entire supply chain?
.,/ How is it ensured that delivered information and telecommunication
technology products function as expected?
.,/ Are there rules for the exchange of information concerning possible
difficulties or hazards with regard to the company and/or the
suppliers?
Is a process implemented with a view to the life cycle of certain
information and telecommunications technology components or
their availability, and are possible risks considered in this
context?
A.15.2 Control of service provision from suppliers
Goal: Information security and service delivery are at the agreed level maintained
according to supplier contracts.
A.15.2.1 .,/ According to which criteria have you implemented the process for Determination of measures for monitoring or
Monitoring and review of supplier monitoring and auditing the services of your suppliers? auditing suppliers
services .,/ This process includes, but is not limited to, the following:
Possible detection:
Measure: - Monitoring the level of service performance(s)
.,/ protocols for monitoring suppliers
The company regularly monitors, - Review of the service reports of the suppliers
reviews and audits the service Possible key figures:
- Conduct supplier audits and follow up on identified issues
provided by its suppliers.
- Providing information on information security incidents and .,/ regular review as part of the internal audits
reviewing them as agreed upon. by the asset owners responsible for the
process.
- Review vendor logs and records of information security
.,/ Number and results of supplier audits
events, operational issues, errors, etc.
- Treatment and solution of identified problems
- Review of information security aspects in relation to the
relationship of suppliers with their own suppliers
- Ensure that suppliers maintain sufficient performance capability
and have developed actionable plans to ensure agreed service
continuity following an incident.
A.15.2.2 .,/ How does the company manage changes related to the Establishment of change management for
Monitoring and review of supplier services provision of supplier services? suppliers
Measure: .,/ To what extent is the criticality of the affected information,
Possible detection:
The company manages changes in the systems and processes taken into account?
.,/ protocols for dealing with suppliers
provision of supplier services, including .,/ How are changes to supplier agreements handled?
changes in the maintenance and .,/ How are changes managed that result from the Possible key figures:
improvement of existing information implementation of new criteria by the company or supplier? .,/ regular review as part of the internal audits by
security policies, procedures and the assetowner responsible for the process.
measures. In doing so, it takes into
account the criticality of its affected .,/ Number and results of supplier audits
information, systems and business
processes and the results of a renewed
risk assessment.
Notes:
A.16 Information security incident handling
A.16.1 Information security incident handling and improvements

Goal: Ensure that a consistent and effective approach exists for handling information security incidents and notification of
security events and weaknesses.
A.16.1.1 .,/ According to which criteria have you defined responsibilities and procedures for Use of a central incident management system
Responsibilities and handling information security incidents? in which all information security incidents
procedures Are procedures in place to plan and prepare for incident response and to monitor, identified in the company are recorded and
detect, analyze, and report on events and incidents relevant to information processed. This includes both physical
Measure:
security? incidents and all incidents in connection with
Responsibilities and
the processing and handling of information.
procedures are .,/ Do procedures exist for recording incident management activities and handling
defined for handling forensic evidence? Possible evidence:
information security Is there a procedure for classifying information security events in terms of their .,/ incident management of the company with
incidents to ensure severity and impact on the organization and for assessing weaknesses in audit of incident handling.
a fast, effective and information security?
orderly response. .,/ established procedures that ensure, among
.,/ Does an incident response procedure exist with regard to escalation, controlled other things, the following: Information
recovery and internal/external communication? security incidents are handled only by
.,/ Are procedures established to ensure, among other things, the following: competent personnel and appropriate
- Information security incidents are handled by competent personnel contacts are maintained with authorities and
other external interested parties
- a contact point for recording information security incidents is established
- Appropriate contacts are maintained with authorities and other external Possible key figures:
interested parties involved in information security incidents. .,/ speed of processing (service level)
.,/ Do the reporting procedures include, but are not limited to, the following: .,/ number of all incidents (Note: Please use
- Forms that simplify the reporting of information security events this only to get a general view of the
robustness of the system. Do not assign a
- the detailed procedure to be followed in the event of an information security event metric to this, as it may lead to employees
- Referral to a disciplinary process for dealing with personnel who have committed a not reporting incidents).
safety violation. .,/ Number of incidents in the course of
- Appropriate feedback processes to ensure that individuals reporting information inspections and checks of
security incidents are informed of their respective outcomes after the authorizations
incident has been addressed
A.16.1.2 How is it ensured that employees or contractors report Establishment of a company-owned central
Information security event reporting an information security event as quickly as E-mail address for reporting security incidents - of
possible? importance: Have all detected security incidents been
Measure:
.../ What measure(s) has the company taken to ensure reported by employees?
To ensure that information security events
are handled, they are reported as quickly as that employees and contractors are aware of the
Possible detection:
possible through appropriate channels. reporting procedure and the contact point
provided for this purpose? .,/ Procedure for reporting and interviewing employees.
.../ Are employees and contractors aware of which Possible key figures:
situations are eligible for reporting information .,/ number of all incidents (Note: Please use this only to
incidents, e.g., in- get a general view of the robustness of the system.
effective security controls, noncompliance with Do not assign a metric to this, as it may lead to
policies and procedures, uncontrolled system employees not reporting incidents).
changes, software and/or hardware malfunctions,
.,/ Number of incidents in the course of inspections
human error, etc.?
and checks of authorizations
A.16.1.3 / How does the company encourage its employees Establishment of a company-owned central
Reporting of weaknesses in information and contractors to record and report observed or E-mail address for reporting security incidents - of
security suspected weaknesses in information security, importance: Have all detected security incidents been
systems or services? reported by employees?
Measure:
The Company encourages its employees Are employees and contractors informed that they
Possible detection:
and contractors to record and report any should not try to improve possible weak points in
the information security themselves because of .,/ Communication with call for open handling of
observed or suspected weaknesses in
possible risks? identified vulnerabilities.
information security, systems or services.
A.16.1.4 .,/ What criteria do you use to decide whether an Establish criteria for maintaining information security and
Assessment of and decision on information security event is ultimately classified as define principles for the secure use of information
information security events such? processing systems in the company.
Measure: .,/ Does the focal point for (possible) safety-relevant
Possible detection:
The company assesses information events have a classification scale according to which
a classification of this event can be classified as .,/ Criteria catalog for the classification of security incidents
security events and decides
whether they should be classified relevant or not relevant?
as such. Are the results of the assessments and decisions
.,/ 100% evaluation of the safety incidents based on the criteria
recorded and stored?
.,/ recording of changes in the criteria after the
analysis has been carried out
A.16.1.5 .,/ Have you implemented an information security Establishing a Procedure Possible
Response to information security incident response procedure?
incidents Evidence:
.,/ Has a point of contact been designated for information
security incident response? .,/ procedural instruction
Measure:
The Company responds to .,/ Does the response to information security incidents Possible key figure:
information security incidents in include the following aspects / measures:
.,/ Were 100% of the detected incidents processed
accordance with documented - Collecting evidence as soon as possible after the according to this procedure?
procedures. event occurs
- if necessary, performing forensic analyses
- Escalation if necessary
- Ensure that all response actions are logged
- internal/external notification of the incident
according to the "need-to-know" principle
- Addressing the information security weakness that
triggered the incident
- Formal closure and documentation after successful
handling of the incident.
A.16.1.6 .,/ Is there a mechanism to use findings from Establishment of a procedure with consideration of
Findings from information security incidents information security incident analysis and "lessons learned"
resolution to reduce the likelihood or impact of
Measure: Possible detection:
future incidents?
Insights from the analysis and resolution of
.,/ procedure contains mechanisms to ensure that
information security incidents are used to
vulnerabilities that have occurred do not recur.
reduce the likelihood of occurrence or
impact of future incidents. Possible key figure:
.,/ 100% of all procedures contain the further course of
action and defined measures derived from the
incident.
A.16.1.7 What procedures does the company use to identify, Processing of incidents in a database or also on a file
Collecting evidence collect, record and store information that can be used basis. It must be ensured that evidence cannot be
as evidence? subsequently changed.
Measure:
The Company has established procedures .,/ Do the procedures include processes for identification,
Possible evidence:
for the identification, collection, recording collection, preservation of evidence related to the
respective types of media and devices? .,/ continuous protocols
and retention of information that may be
used as evidence. Do the procedures take into account aspects such as the .,/ checking the integrity of the logs (subsequent
chain of custody, security of evidence, security of prevention of changes).
personnel, roles and responsibilities of participants, Possible key figures:
etc.?
.,/ secure reporting
.,/ unambiguousness of the verification
A.17 Information security aspects of business continuity management
A.17.1 Maintaining information security

Goal: The company has embedded information security maintenance into
their business continuity management (BCM) system.
A.17.1.1 According to which criteria has the company set requirements Establish contingency plans in case of data loss,
Planning to maintain information for information security and for maintaining information system loss, misappropriation of company information,
security security management in the event of information loss, third parties. Establish criteria to prevent insolvency. In
system failures, crisis situations or even disasters? this context, management must define recovery times
Measure:
.,/ Have you determined whether the maintenance of for the company's critical information assets as part of
The company determines
information security is covered by the emergency response the risk analysis.
requirements for information security
and for maintaining information process or (if applicable) by the BCM process?
Possible detection:
security management in the event of
.,/ Definitions for dealing with crisis situations in
crisis situations or disasters.
connection with the processing of information

.,/ periodic review of the assessment of the risk in case
of loss of information.
.,/ Checking the crisis scenario for up-to-dateness
Notes:
A.17.1.2 .,/ What processes, procedures and measures has the Establish contingency plans for data loss, system loss,
Implement the maintenance of company established, implemented, documented and misappropriation of company information, third parties.
information security maintains to ensure the required level of information Establishment of criteria to avoid insolvency. In this
security even in the event of a crisis situation or context, the management must determine recovery
Measure:
disaster? times for the company's critical information assets as
To ensure the required level of
.../ Is it ensured that an appropriate management structure part of the risk analysis.
information security even in the
event of a crisis situation or including authorized, experienced and competent
Possible detection:
disaster, the company defines, personnel is in place to be prepared for an incident, to
mitigate or respond to it if necessary, and to maintain .,/ List of processes and procedures that have been
documents, implements and
information security as far as possible? classified by the company as business-critical.
maintains processes, procedures
and measures. Are documented plans, response or recovery procedures Possible key figure:
developed and approved that detail how the
.,/ regular review as part of the internal audits by the
company will handle incidents?
asset owners responsible for the process.
Are the following aspects implemented, documented and
maintained with regard to the company's information
security requirements?
- Information security measures within the BCM or
emergency response process.
- Adaptation of processes, procedures, etc., to maintain
existing information security measures during an adverse
situation
- compensatory measures if existing information security
measures cannot be adapted during an adverse
situation
A.17.1.3 .,/ In what way do you regularly check that the validity Establishment of crisis teams, definition of communication channels in
Review and evaluate the maintenance of and effectiveness of the measures defined and the event of a crisis, strengthening of the organization to cope with
information security implemented for the event of a crisis or disaster are crises
ensured?
Measure: Possible detection:
.,/ Are exercises and tests on the functionality of the
The company conducts regular reviews information security processes and procedures .,/ protocols for testing emergency scenarios
to ensure the validity and effectiveness and on the necessary knowledge and routine for
of the measures defined and their implementation carried out in the course of this
implemented in the event of a crisis or audit? .,/ regular review within the scope of internal audits by the
disaster. responsible asset owners of the process, implementation of
.,/ Is the validity and effectiveness of measures to
emergency tests
ensure the continuity of information security
checked in the event of changes of any kind? .,/ number of emergency tests performed
A.17.2 Redundancies
Goal: Ensure that information-processing facilities are available.
A.17.2.1 .,/ Are the information processing facilities Information that has been classified as company-relevant should only be operated
Availability of information- sufficiently redundant to meet the availability on redundant systems. Setting up RAID systems, redundant power supplies,
processing facilities requirements? keeping components on hand to ensure that networks are maintained (e.g. routers,
.,/ Are the redundant systems regularly firewalls, etc.).
Measure: Information-processing
systems are designed with checked for functionality?
Possible evidence:
sufficient redundancy to meet .,/ Is their power supply ensured in case of
.,/ installation concept
availability requirements. emergency?
.,/ check on the devices (presence of RAID systems)
.,/ dual power supply of fail-safe systems Possible metrics:
.,/ regular review as part of the internal audits by the
responsible assetowner of the process
.,/ Implementation of emergency tests
.,/ monitoring of the infrastructure to ensure the power supply.
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements

Goal: The company avoids violations of legal, regulatory and self-imposed or contractual obligations that have a bearing on
information security, as well as any type of security requirement.
A.18.1.1 Are specific measures and individual responsibilities Use of a legal register incl. responsibilities and
Determination of the applicable legislation and defined and documented in order to fulfill all measures derived from it
contractual requirements relevant compliance requirements in connection with
information security?
Measure:
The company identifies and documents all .,/ How is it ensured that in business contact with
relevant legal, regulatory, self-imposed or foreign countries all laws and regulations
contractual requirements for each information applicable there are observed?
system and for the company as a whole, as well
as the company's procedures for complying with
these requirements, and ensures that they are
kept up to date.
Notes:
A.18.1.2 .,/ Does the company have a process in place to ensure Establish a procedure to take into account legal,
Intellectual property rights compliance with legal, regulatory, and contractual regulatory and contractual requirements related to
requirements related to intellectual property rights and intellectual property rights and the use of proprietary
Measure:
the use of copyrighted software products? software products.
The Company has implemented appropriate
procedures to ensure compliance with legal, .,/ Does the procedure include a copyright compliance policy
Possible evidence:
regulatory and contractual requirements that defines the legal use of software and information
products? .../ procedures to ensure legal, regulatory and
relating to intellectual property rights and the
contractual requirements with respect to
use of proprietary software products. .,/ How is it ensured that software for the protection of
intellectual property rights and the use of
intellectual property is only obtained from known and
copyrighted software products.
reputable sources and that only authorized software is
installed? .,/ List of values identifying all values with
intellectual property protection requirements.
How is awareness of guidelines for the protection of
intellectual property rights maintained within the Possible key figure:
company?
.,/ regular review as part of the internal audits by
.,/ Is a list of values maintained that identifies all values the asset owners responsible for the process.
with intellectual property protection requirements?
.,/ Is evidence kept with regard to the ownership of license
rights, etc.?
.,/ Is there a policy on the sale or transfer of software to
third parties?
.,/ How is it ensured that neither complete nor partial copies
are made of articles and reports protected by copyright?
A.18.1.3 .,/ How are records protected from loss, destruction, Separation in the context of Active Directory rights assignment
Protection of records falsification, unauthorized access, and unauthorized with definition of read, write, read/write/change rights
disclosure?
Measure: Possible evidence:
Records are protected against What criteria do you use to ensure that this protection
meets legal, regulatory, contractual and business .,/ documented information
loss, destruction, falsification,
unauthorized access and requirements? .,/ Verification of the assurance of the immutability of this
unauthorized disclosure. This .,/ Does the company have a policy that specifies the evidence (preservation of integrity).
protection meets legal, regulatory, retention, storage, handling and disposal of records and
contractual and business information?
requirements. .,/ regular review as part of the internal audits by the
Does a retention schedule exist that allows the
asset owners responsible for the process.
identification of records and indicates the
retention period?
.,/ Does a register exist of sources of key information
that should be retained?
A.18.1.4 / If applicable: How does the company ensure that privacy Identify the procedures and processes in which personal
Privacy and protection of personal and personal information are protected in accordance information is processed. Protection of these processes to
information with the requirements of relevant laws and regulations? comply with legal requirements for data protection (encryption,
.,/ Has the company developed and applies a policy for anonymization, pseudonymization).
Measure:
The Company will ensure, where dealing with data protection requirements and
Possible evidence:
applicable, that privacy and requirements for the protection of identifying
information? .,/ documented information
personal information are protected
in accordance with the .,/ How is it ensured that all persons who handle infor- .,/ Verification of the assurance of the immutability of this
requirements of relevant laws and evidence (preservation of integrity).
mation for the identification of persons are aware of
regulations. this guideline? Possible key figures:
.,/ regular review as part of the internal audits by the asset
owners responsible for the process.
.,/ Number of data privacy violations identified
.,/ Number of reportable incidents
A.18.1.5 .,/ How do you ensure that cryptographic measures are Procedures and processes in which personal information is
Regulations regarding cryptographic applied in compliance with all relevant agreements, laws processed. Protection of these processes to comply with
measures and regulations? legal requirements for data protection (encryption,
.,/ To what extent are restrictions on the import or export of anonymization, pseudonymization).
Measure:
Cryptographic measures are applied software and hardware used to perform cryptographic
Possible evidence:
in compliance with all relevant functions taken into account?
.../ procedure for taking into account data protection-
agreements, laws and regulations. .,/ To what extent are restrictions on the use of
relevant requirements for the protection of personal
cryptographic measures taken into account?
information
.,/ How are cryptographic keys handled, if necessary?
.,/ regular review as part of the internal audits by the asset
owners responsible for the process.
Notes:
A.18.2 Information security reviews
Goal: The organization implements and applies information security in accordance with its policies and procedures.
A.18.2.1 How does the company independently verify the Planning and execution of regular internal or
Independent verification of information effectiveness and appropriateness of its approach to external audits
security managing information security and its implementation?
Possible evidence:
Measure: .,/ How is the independence of such a review ensured?
.../ audit logs of regular checks of access and
The company reviews independently and at .,/ Does the review focus on improving existing information
access authorizations in accordance with
planned intervals or in the event of significant security measure objectives, measures, policies,
defined role profile
changes whether its approach to managing processes, and procedures?
information security and its implementation is Are the results of this independent review recorded, .../ implementation of audits by third parties resp.
appropriate and effective. The focus is on Certifications
reported to the management that commissioned the
information security objectives, measures, review, and retained? Possible key figure:
policies, processes and procedures.
.,/ Number of audits per year
Notes:
A.18.2.2 .,/ In what way do senior executives verify compliance Verification of Access Credentials Possible
Compliance with safety guidelines and with security policies, standards, and other security
-standards requirements in information processing and Evidence:
procedures under their responsibility? .../ audit trails of regular checks of access and
Measure:
.,/ What do senior executives do in the event that access authorizations according to defined
Senior executives regularly review compliance
nonconformities are discovered? role profile
with security policies, standards, and other
security requirements for information processing .,/ Are the results of the test recorded and kept? Possible key figure:
and procedures within their areas of
.,/ Number of internal audits per year
responsibility.
A.18.2.3 .,/ In what way does the company check its Planning and execution of regular internal audits
Verification of compliance with technical information systems for compliance with
specifications information security policies and standards? Possible detection:
.,/ Is it ensured that this type of testing is only carried out .,/ reports of the internal audits
Measure:
The Company regularly reviews its information by competent and authorized persons (or under their
systems for compliance with the information supervision)?
.,/ Number of internal audits per year
security policies and
-standards.
Notes:
Our tip
For more information about
Information security according to ISO 27001
visit our blog or sign up for an event on

www.dqsglobal.com/learn
DQS: Simply leveraging Quality.
In everything we do, we set the highest standards for quality and competence in
every project. This makes our actions the benchmark for our industry, but also our own
maxim, which we set anew every day.
We see ourselves as important partners of our customers, with whom we work at eye
level on sustainable added value. Our goal is to provide companies with important
services through the simplest processes as well as the highest adherence to
deadlines and reliability.
to provide value-creating impetus for their entrepreneurial success.
We see ourselves as pioneers and innovators in order to maintain, create and

improve internationally comparable standards. Products, processes or services
thus become safer and of higher quality worldwide. Our
Certifications simplify global exchange between companies,
authorities or organizations and at the same time strengthen the trust of
customers and consumers in products, services and companies. We therefore
see our work as an important contribution to society.
Our core competencies lie in the performance of certification audits and

IMPRINT assessments. This makes us one of the leading providers worldwide, with
DQS Holding GmbH the claim to always set new standards in terms of reliability, quality and
August-Schanz-Strasse
customer orientation.
21 60433 Frankfurt am
Main Germany
Over 2,500 top-qualified and experienced auditors conduct over
Image material: 125,000 customized audits in more than 60 countries according to over 200
shutterstock.com Reprinting or recognized norms and standards.
duplication, including excerpts,
only with the permission of We have been setting the highest standards of expertise, experience
DQS.
and quality for our customers since 1985. This applies to every phase of
Status: July 2022
the collaboration. Only in this way can we achieve our goal of maximum
customer satisfaction.
Simply
leveraging
Security.
Contact us:
DQS GmbH
German Society for the Certification of
Management Systems
August-Schanz-Strasse
21 60433 Frankfurt am
Main Phone +49 69
95427-0
www.dqsglobal.com

ISO 27001 - Appendix A in Practice: Possible Audit Questions and Evidence For Selected Measures

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 27001 - Appendix A in Practice: Possible Audit Questions and Evidence For Selected Measures

Uploaded by

Copyright:

Available Formats

Possible audit

questions and evidence

Practical Annex A of ISO 27001 The term "measure

A.5.1 Specifications of the management for information security

A.6.1 Internal organization

A.6.1.2 .,/ How have you identified tasks or areas of responsibility

A.6.1.4 .,/ In which safety-oriented interest groups or forums is your

A.7.1 Before employment

A.8.1 Responsibility for values

A.8.2 Information classification

A.15.1 Information security in supplier relationships

A.16.1 Information security incident handling and improvements

A.17.1 Maintaining information security

Possible key figures:

A.18.1 Compliance with legal and contractual requirements

Information security according to ISO 27001

visit our blog or sign up for an event on

We see ourselves as pioneers and innovators in order to maintain, create and

Our core competencies lie in the performance of certification audits and

You might also like