Inspection list

Internal Safety Audit Questionnaire

Basic internal audit review points .

Based on ISO/IEC 27002:2022 and CIS Controls v8.1

The questionnaire aims to assess the implementation, relevance and effectiveness of information security controls before the external audit or certification.

□ The asset inventory is current and includes servers, work stations, cloud resources, network equipment and critical applications.

□ The risk register has been updated and the risks have been assessed according to the level of risk tolerance of the organisation.

□ Information security policy has been approved, dated, regularly reviewed and communicated to staff.

□ The roles and responsibilities of information security are clearly defined and documented.

□ The access rights of users and administrators are regularly reviewed and in line with their job responsibilities.

□ The privileged accounts have introduced MFA, restricted access and enhanced supervision.

□ A password and authentication policy is in place and meets the organisation's security requirements.

□ Systems configurations are standardised, documented and protected against unauthorised changes.

□ Security updates and vulnerability corrections are applied within the deadlines.

□ Backup copies are made on a regular basis and data renewal has been tested over the last 3 months.

□ Audit journals are collected, protected, monitored and maintained for an appropriate period.

□ Network segmentation and basic network security controls have been introduced.

□ An incident response plan, an incident registry and escalation arrangements have been established.

□ Staff have been provided with information security training within the last 12 months.

□ Suppliers and external service providers are assessed at the level of security risk.

□ Contracts with third parties include confidentiality, data protection, incident reporting and auditing requirements.

□ Safety assessment, vulnerability scanning or intrusion testing have been performed on critical systems.

□ There is a business continuity and IT recovery plan for critical services.

□ Security controls are regularly reviewed and corrective measures are adopted for non-compliances.