Audit/review questions
Other than the classic "Show me", here are a bunch of generic questions to consider, select and refine if you are conducting an ISMS internal audit, IT audit, ISMS management review etc. looking into 'X' (an ISMS, situation, system, process, control, incident or whatever). Hopefully these are thought-provoking, helping you consider and explore X from different perspectives.
- Are there any legal, regulatory or contractual compliance implications of X?
- Are there any other things about X that I/management should know about?
- Can I do some audit tests on X, please?
- Compared to Y and Z, how risky/valuable/reliable is X?
- Does anything strike you as strange or worrying about X?
- Explain the controls relating to X …
- Has X ever hurt anyone? What happened?
- Have you or anyone else raised concerns about X?
- How big is X - how wide, how heavy, how numerous, how often?
- How come previous efforts did not fix X?
- How costly was X?
- How could X be linked or integrated with other things?
- How long before X needs to be retired/repaired/replaced?
- How might X be compromised?
- How up-to-date is X, and how do you know that?
- I wonder about Y. What can you tell me?
- If someone did exploit X, how might they cover their tracks?
- If the organisation were to start over, what would happen about X?
- If X had been exploited or compromised, how would we discover that?
- If you left the organisation or fell ill, what do you think would happen with X?
- If you were me, what else would you like to know about X?
- Imagine I am a clueless idiot: can you explain X to me in simple terms?
- Is anyone dealing with X? What are they doing?
- Is there a diagram or can you sketch X for me?
- Is there anything else you’d like to say?
- Is X an issue for the business, or could it become so?
- Is X right/appropriate/sensible in your opinion?
- Please can I have an account on system X to conduct some enquiries?
- Show me how to break X …
- Show me the configuration parameters/settings for X …
- Show me the logs, alarms and alerts relating to X …
- Show me the X system from the perspectives of a user and administrator …
- Show me what is broken with X …
- Talk/walk me through X …
- Tell me about the technology platform for X …
- Under what circumstances might X become a major problem?
- What are the drivers for X?
- What are the most important controls relating to X, and why is that?
- What are the obligations, requirements and goals for X?
- What are you planning for X?
- What changes have affected X?
- What could or should X have achieved to date?
- What do you like most/least about X?
- What does X depend upon?
- What else is going on now in X?
- What else might cause X?
- What happened in the past when X failed, or failed to perform as expected?
- What has happened recently in/to X?
- What have you personally tried to address X?
- What is it about X that makes you most uncomfortable?
- What is the best/worst thing about X?
- What is the most concerning thing about X?
- What is the most valuable information in X?
- What is the most/least successful or effective thing about X?
- What is your rĂ´le in relation to X?
- What should or must X not do?
- What was done in response to X - what happened, how, when and why?
- What would happen if X was not done at all, or not done properly?
- When was the last time X was reviewed/checked/audited, if ever?
- Who are the users, managers and administrators for X?
- Who else can access or interact or change X?
- Who else should I be talking to/asking about X?
- Who is the information/risk owner for X?
- Who might benefit from or be harmed by X?
- Who or what might threaten X?
- Who supports/needs X? Why?
- Who was involved in the X incident?
- Why do you think X keeps cropping up?
- Why/how is X changed?
- Would you say X is perfect? If not, why not?
What have you found to be the most productive questions or approaches when auditing or reviewing something? Conversely, from the other side of the table, what are the best, most insightful or challenging questions and approaches you have faced in an audit-type situation?