Internal Safety Audit Questionnaire
Basic internal audit review points .
Based on ISO/IEC 27002:2022 and CIS Controls v8.1
The questionnaire aims to assess the implementation, relevance and effectiveness of information security controls before the external audit or certification.
□ The asset inventory is current and includes servers, work stations, cloud resources, network equipment and critical applications.
□ The risk register has been updated and the risks have been assessed according to the level of risk tolerance of the organisation.
□ Information security policy has been approved, dated, regularly reviewed and communicated to staff.
□ The roles and responsibilities of information security are clearly defined and documented.
□ The access rights of users and administrators are regularly reviewed and in line with their job responsibilities.
□ The privileged accounts have introduced MFA, restricted access and enhanced supervision.
□ A password and authentication policy is in place and meets the organisation's security requirements.
□ Systems configurations are standardised, documented and protected against unauthorised changes.
□ Security updates and vulnerability corrections are applied within the deadlines.
□ Backup copies are made on a regular basis and data renewal has been tested over the last 3 months.
□ Audit journals are collected, protected, monitored and maintained for an appropriate period.
□ Network segmentation and basic network security controls have been introduced.
□ An incident response plan, an incident registry and escalation arrangements have been established.
□ Staff have been provided with information security training within the last 12 months.
□ Suppliers and external service providers are assessed at the level of security risk.
□ Contracts with third parties include confidentiality, data protection, incident reporting and auditing requirements.
□ Safety assessment, vulnerability scanning or intrusion testing have been performed on critical systems.
□ There is a business continuity and IT recovery plan for critical services.
□ Security controls are regularly reviewed and corrective measures are adopted for non-compliances.