Sample Audit Questions Addressing New/Updated Controls

With the updates in ISO/IEC 27001:2022, audit questions must evolve to properly assess compliance with new and revised controls. Effective audit questions facilitate thorough evaluation of control implementation, risk management, and organizational readiness. 

Sample Audit Questions for New/Updated Controls

Below is a selection of sample audit questions aligned with key new or significantly updated controls in the 2022 standard, designed to guide auditors in their verification and assessment activities.

1. Threat Intelligence

How does the organization collect and analyze information on current and emerging threats?

What processes are in place to disseminate threat intelligence to relevant stakeholders and update security measures accordingly?

2. Information Security for Cloud Services

How does the organization assess and manage risks associated with cloud service providers?

Are there contractual agreements with cloud providers specifying information security requirements and responsibilities?

3. ICT Readiness for Business Continuity

What measures exist to ensure ICT systems support critical business functions during disruptions?

Have ICT continuity plans been tested and updated regularly?

4. Physical Security Monitoring

What technologies or processes are used to monitor physical security controls continuously?

How are physical security incidents detected, reported, and addressed?

5. Configuration Management

Does the organization maintain an up-to-date inventory of authorized system configurations?

How are unauthorized configuration changes identified and remediated?

6. Information Deletion

Are procedures in place for secure deletion of information in accordance with legal and organizational policies?

How does the organization ensure that deleted data cannot be recovered unauthorizedly?

7. Data Masking and Leakage Prevention

What mechanisms are employed to mask sensitive data in non-production environments?

How does the organization monitor and prevent data leakage incidents?

8. Monitoring Activities

Is continuous monitoring conducted on critical systems and networks to detect anomalous activities?

How are monitoring results analyzed and acted upon?

9. Web Filtering

Are policies and technical controls implemented to restrict access to malicious or inappropriate web content?

How frequently are web filter rules reviewed and updated?

10. Secure Coding

What secure coding standards are followed during software development?

Are code reviews or static analysis tools used to identify security vulnerabilities?