Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Internal Control Questionnaires

First 2 pages of one ICQInternal Control Questionnaires for
Information Security Healthchecks
and IT Audits

 

Written and published by IsecT Ltd.


Supplied as a pack of 31
Microsoft Word icon Word documents
of approximately 6 pages each

 

Price US$145*

 

PDF requires Acrobat Reader to open Sample ICQ

Background

Every month NoticeBored delivers an audit-style generic Internal Controls Questionnaire (ICQ) or checklist to help customers review the risks and controls addressing that month’s information security topic.  By popular demand, we are now offering a full set of ICQs for sale separately.

The ICQs are intended to help customers review their information security risks and controls, for example as part of the initial “gap analysis”, “healthcheck” or risk assessment phase of implementing an ISO/IEC 27001 Information Security Management System.  Normally, organizations spend a fortune getting consultants or auditors to do this for them, when often they are perfectly capable of checking things for themselves with just a little help.  That’s where the ICQs come in.

The ICQs lay out the key information security risks and controls in each topic area, starting with a mind-map overview to help users get their bearings.  The tables that follow expand on the issues raised in the mind maps with a logical series of open audit-style interrogations.  These are not just simplistic yes/no questions as one might find in a crude tick-list: the idea is to prompt the ICQ user to explore the topic area, gathering and evaluating information as they go.  The findings column provides a place to record the results of the checks while the SWOT column is a handy place to identify key strengths, weaknesses, opportunities and threats.  The main SWOT items can then be collated and summarized at the end of the ICQ, forming the basis of a meaningful management reports with the backing of evidence collected during the investigation.

Here’s a listing of the 31 ICQs provided in the pack, showing the topics they cover:

List of ICQs ihn the pack

 

Find out in more detail what the ICQs actually look like by checking this sample - the malware ICQ Adobe Acrobat PDF sample.  Note: although the sample is an Acrobat PDF version, we provide customers with the original/unlocked editable files produced by Microsoft Word for ease of customization and use.

 

ICQ 2-page preview full size

The ICQs are similar in structure and style to the sample, with a mind map overview followed by the actual questionnaire/checklist, typically about 6 pages in total. 

The questions are deliberately open-ended in style to encourage the reviewers or auditors to explore and describe the controls in more depth than crude ‘yes/no’ ticklists.  In reality, information security is often a matter of “Yes but ...” or “Not entirely ...”.  More open ICQs allow the nature or gravity of the findings to determine the depth of analysis.

The SWOT (Strengths, Weaknesses, Opportunities and Threats) column and summary section at the end are used to analyze and record significant findings that deserve management attention.  The Ref column is used to reference evidence, policies, interview notes etc. collected and examined during the review.

Buy the ICQs

The pack of 31 generic ICQs costs just US$145* .  Given that each one would take an experienced and qualified IT auditor at least an hour to create, let alone the time to research the topic area, we hope you’ll agree that less than US$5 per checklist is outstanding value for money.

Please contact us to buy the ICQs or for further information.  We will ask you to sign a license agreement and pay by PayPal using a credit card.  The ICQs will be delivered electronically as a Zip file containing the unlocked MS Word documents.  We offer support by email - if you need more information or just want to discuss the risks and controls with independent consultants, just let us know and we’d be pleased to help.  [The first hour of email support is free of charge.]

Disclaimer

These ICQs are intended as general prompts or reminders, and are not literally meant as a set of questions to be asked verbatim.  They are generic and do not necessarily address any organization’s specific requirements (e.g. laws and other compliance obligations, business/strategic objectives) that are normally identified during the scoping phase of an independent audit or management review.  They are unlikely to be sufficiently comprehensive without modification.  The are intended for use by experienced IT auditors and similar competent persons.  Use at your own risk.  Seek more specific advice and assistance from suitably qualified and experienced advisors with knowledge of your particular circumstances and obligations.  None of this is legal advice!

* plus GST (sales tax) for New Zealand customers
Home > Checklists >

Copyright © 2012  IsecT Ltd.