Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Internal Control Questionnaires

   

First 2 pages of one ICQInternal Control Questionnaires for
Information Security Healthchecks

Written and published by IsecT Ltd.

 

~180 pages icon Word
supplied as a pack of 31
fully-customizable
Microsoft Word files

Price US$310 Price cut for 2010

 

PDF requires Acrobat Reader to open Sample ICQ

Background

Every month NoticeBored delivers an audit-style generic Internal Controls Questionnaire (ICQ) or checklist to help customers review the risks and controls addressing that month’s information security topic.  By popular demand, we are now offering a full set of ICQs for sale separately.

The ICQs are intended to help customers review their information security risks and controls, for example as part of the initial “gap analysis”, “healthcheck” or risk assessment phase of implementing an ISO/IEC 27001 Information Security Management System.  Normally, organizations spend a fortune getting consultants or auditors to do this for them, when often they are perfectly capable of checking things for themselves with just a little help.  That’s where the ICQs come in.

The ICQs lay out the key information security risks and controls in each topic area, starting with a mind-map overview to help users get their bearings.  The tables that follow expand on the issues raised in the mind maps with a logical series of open audit-style interrogations.  These are not just simplistic yes/no questions as one might find in a crude tick-list: the idea is to prompt the ICQ user to explore the topic area, gathering and evaluating information as they go.  The findings column provides a place to record the results of the checks while the SWOT column is a handy place to identify key strengths, weaknesses, opportunities and threats.  The main SWOT items can then be collated and summarized at the end of the ICQ, forming the basis of a meaningful management reports with the backing of evidence collected during the investigation.

Here’s a listing of the 31 ICQs provided in the pack, showing the topics they cover:

List of ICQs ihn the pack

 

Find out in more detail what the ICQs actually look like by checking this sample - the malware ICQ Adobe Acrobat PDF sample.  Note: the sample is a read-only Acrobat PDF version but we actually provide customers with the original editable Rich Text Files produced by Microsoft Word for ease of customization and use.

 

ICQ 2-page preview full size

The ICQs are similar in structure and style to the sample, with a mind map overview followed by the actual questionnaire/checklist, typically about 6 pages in total.  The SWOT (Strengths, Weaknesses, Opportunities and Threats) column and summary section at the end are used to analyze and record significant findings that deserve management attention.  The Ref column is used to reference evidence, policies, interview notes etc. collected and examined during the review.

Price

The pack of 31 generic ICQs costs US$310 Price cut for 2010.  Given that each one would take an experienced and qualified IT auditor at least an hour to create, let alone the time to research the topic area, we hope you’ll agree that US$10 per checklist is outstanding value for money.

Please contact us to buy the ICQs or for further information.  We will ask you to sign a license agreement and pay by PayPal.   The ICQs will be delivered electronically as an ~11Mb Zip file containing 31 Word files.  We also offer support by email - if you need more information or just want to discuss the risks and controls with independent consultants, just let us know and we’d be pleased to help.  [The first hour of email support is free of charge.]

Disclaimer

These ICQs are intended as general prompts or reminders, and are not literally meant as a set of questions to be asked verbatim.  They are generic and do not necessarily address any organization’s specific requirements (e.g. laws and other compliance obligations, business/strategic objectives) that are normally identified during the scoping phase of an independent audit or management review.  They are unlikely to be sufficiently comprehensive without modification.  The are intended for use by experienced IT auditors and similar competent persons.  Use at your own risk.  Seek more specific advice and assistance from suitably qualified and experienced advisors with knowledge of your particular circumstances and obligations.  None of this is legal advice!
NB home > NB checklists >

Copyright © 2010  IsecT Ltd.