When undertaking an audit or review for ISO 27001, we regularly get asked what are the questions that the executives or board members may be asked during the investigation phase. To assist you, we have compiled a sample of questions that would be put to executives or board members.
This list is not exhaustive or final but it will hopefully provide some insight into the type of questions that they may face when undertaking an ISO 27001 certification.
Executives and Board questions
- What are the reasons behind your desire to achieve ISO 27001certification?
- What is your organisational structure and cyber security sponsorship?
- Has your organisation defined and prioritised its most valuable information assets?
- What are the external and internal organisational issues that may affect the ability to achieve the intended outcomes of this ISMS?
- Who are the interested parties that are relevant to the ISMS and what are the requirements of these interested parties?
- How can the organisation prove its commitment to establish, implement, maintain and continually improve an ISMS, in accordance with the requirements of ISO27001?
- When building the scope, identify the areas that are covered and the ones that are out of scope.
- Where is your organisation’s data located physically and logically?
- Who owns it, and how important is it to the business? (What would the impact be to the business if it was lost or corrupted?)
- Do you have a documented chain of information ownership and responsibilities?
- Do you have an up-to-date Information Security Management System (ISMS)?
- What are the greatest risk areas to your organisation from the perspective of cybersecurity, and how are they categorised?
- What are the major functional, procedural, policy, and governance methods by which you mitigate these identified cyber risks?
- What is the recommended method for the Board to measure and monitor cyber risk?
- What governance, risk, and compliance (GRC) processes and automation do you use?
- Explain your Disaster Recovery plan, Incident response procedures and breach notification procedure?
- Describe the roles, responsibilities, and testing undertaken for incident response.
- Is cybersecurity treated as an enterprise-wide risk management issue, not just an IT issue?
- Does the board understand the legal implications of cyber risks as they relate to the company’s context?
- Have you thought about which cyber risks are to be avoided, accepted, mitigated, or transferred through insurance?
- Do you know where your Personal Identifiable Information is located, how it is classified and is it encrypted?
- Who, within your organisation, and externally, will have access to your data and with what access privileges?
- What is your organisation’s risk profile/maturity and what is considered an unacceptable risk?
- Does your organisation have documented security and privacy policies?
- Are you aware of any previous security breaches within the organisation?
- Do you have an up-to-date asset register?
- Do you have an up-to-date register of processes and procedures which is aligned with your policies?
- Does the organisation have document management systems in place with appropriate control procedures?
- Do you have an up-to-date risk register?
- Do you have data classification controls in place?
- When was your last security audit and what were they?
- Are your employees familiar with the security policies and procedures? How is this communicated to them?
- Does your organisation have a formal process to assess the risk of vendors, customers, and service providers?
- Describe the process and what area within your organisation is responsible.
- Do you have a formal security awareness program in place that measures staff behaviour? Please describe this.
Management questions
- Do you have physical security in place to protect information assets in offices and other facilities where information assets are stored or processed? If so, please describe.
- Do you protect data at rest using encryption? If so, please describe, including information on each of the following: laptops, desktops, databases/applications, back-ups, removable media, and portable devices (i.e., phones/tablets)?
- Do you have a shadow IT procedure?
- Is there a physical or logical network and server segregation that exists between client environments? If so, describe.
- Do you have monitoring (including log monitoring) regularly conducted on your network(s)? If so, describe systems and procedures that are used to identify data breaches or security risks.
- Do you have an access control policy? If so, describe how it relates to access approvals, role-based access, the principle of least privilege, segregation of duties, access reviews, and role changes or terminations.
- Do you have password policies and management procedures? If so, please describe.
- Do you have policies and procedures for anti-malware in your corporate and client environments? If so, please describe.
- Do you have wireless policies and practices as they pertain to access to corporate and client networks? If so, please describe.
- Does your organisation have encryption tools to protect confidential/personal information that is in transit over public networks? If so, describe how these tools are used.
- Do you have wireless policies and practices as they pertain to access to corporate and client networks? If so, please describe.
- If electronic information will be transmitted or exchanged, does your company have controls in place as to the usage of the data?
- Do you perform third-party network penetration and vulnerability testing? If so, please provide a summary of the results from your last third-party test.
- Do partners or subcontractors access network systems? If so, please describe how.
- Is auditing enabled for all appropriate events (e.g., is a record of individuals who log into the system maintained)? If so, describe how long audit logs are archived.
- Does your security system have defence capabilities such as anti-malware and deep packet inspection activated?
- Do you control data access by both end-users and privileged users? If so, describe.
- Is there a physical or logical network and server segregation that exists between client environments and your corporate environment? If so, please describe.
- Do you have patch-management policies and practices? If so, please describe.
- Do you have change-management policies and practices? If so, please describe.
- Do you have Data Loss Prevention policies (both written and technical) and practices? If so, please describe.
- Are there protections in place for remote access connectivity, including authentication mechanisms, encryption algorithms and key lengths, and account management process? If so, please list.
- Are all employees with access to network systems and data required to undergo background checks prior to employment?
- Are access controls in place that cover permissions, changes, and terminations?
- Do you have a robust password policy to ensure all users have strong passwords? Do you use two-factor authentication?
- Do you allow BYOD and do you have an MDM in place? If so, please describe.
- How do you manage remote access?
- Do users have admin access to their own devices?
- Do you have policies to restrict physical access to servers or electronic information systems?
- Are your computers and other systems physically secured?
- Do your employees wear an ID badge with a current photo?
- Do you create a unique user account and username for everyone?
- Are admin accounts used only for performing admin tasks?
- Are devices automatically locked when left unattended?
- Is the use of USBs and external hard drives from unfamiliar sources restricted?
- Are user accounts, especially those with admin accounts, removed when no longer required?
- Is system access limited based on roles and needs?
- Do you have daily scheduled backups for all critical files and data?
- Do you have an acceptable use policy covering the use of computers, mobile devices, and other IT resources as well as Social Media tools?