ISO 27002 Version 2022 Audit questionnaire

Information Security Policy

Does the organization have an information security policy?

Is the information security policy reviewed and approved by management?

Is the information security policy communicated to all employees?

Is the information security policy regularly reviewed and updated?

Organization of Information Security

Management Commitment

Does top management demonstrate commitment to information security?

Are responsibilities for information security defined and communicated?

Is there a designated information security officer?

Is there a clear organizational structure for information security?

Internal Organization

Are roles and responsibilities for information security defined?

Is segregation of duties implemented where appropriate?

Are employees aware of their information security responsibilities?

Is there a process for managing information security incidents?

Human Resource Security

Prior to Employment

Are background checks conducted for new employees?

Are employment contracts or agreements in place?

Are employees required to sign confidentiality agreements?

During Employment

Is security awareness training provided to employees?

Are employees aware of the consequences of non-compliance?

Are employees required to report any security incidents or breaches?

Is there a process for disciplinary action in case of non-compliance?

Asset Management

Responsibility for Assets

Are information assets identified and assigned to responsible individuals?

Is there a process for the classification of information assets?

Is there a process for the protection of information assets?

Information Classification

Are information assets classified based on their importance and sensitivity?

Is there a process for labeling and handling classified information?

Are appropriate controls in place for the storage and access of classified information?

Is there a process for the disposal of information assets?

Access Control

User Access Management

Is there a process for granting and revoking user access rights?

Are user access rights reviewed and updated regularly?

Is there a process for managing user passwords and authentication?

User Responsibilities

Are users aware of their access control responsibilities?

Are users required to use strong passwords?

Is there a process for reporting and managing unauthorized access attempts?

These are just a few examples, and the actual checklist may vary depending on the specific requirements and scope of the ISO 27002 Version 2022 Audit questionnaire.