Section 1 Security policy 1.1.1 1.1.2 3.1 3.1.1 3.1.

Sub section Information security policy Information security policy document Review and evaluation

2 Organisational Security 2.1 4.1 Information security infrastructure 2.1.1 4.1.1 Management information security forum 2.1.2 4.1.2 Information security coordination 2.1.3 4.1.3 Allocation of information security responsibilities 2.1.4 4.1.4 Authorisation process for information processing facilities 2.1.5 4.1.5 Specialist information security advise 2.1.6 2.1.7 2.2 2.2.1 4.1.6 4.1.7 4.2 4.2.1 Co-operation between organisations Independent review of information security Security of third party access Identification of risks from third party access

2.2.2 2.3 2.3.1

4.2.2 4.3 4.3.1

Security requirements in third party contracts Outsourcing Security requirements in outsourcing contracts

3 Asset classification and control 3.1 5.1 Accountability of assets 3.1.1 5.1.1 Inventory of assets 3.2 3.2.1 3.2.2 5.2 5.2.1 5.2.2 Information classification Classification guidelines Information labelling and handling

4 Personnel security 4.1 6.1 4.1.1 6.1.1 4.1.2 4.1.3 4.1.4 4.2 4.2.1 4.3 4.3.1 4.3.2 4.3.3 4.3.4 6.1.2 6.1.3 6.1.4 6.2 6.2.1 6.3 6.3.1 6.3.2 6.3.3 6.3.4

Security in job definition and Resourcing Including security in job responsibilities Personnel screening and policy Confidentiality agreements Terms and conditions of employment User training Information security education and training Responding to security incidents and malfunctions Reporting security incidents Reporting security weaknesses Reporting software malfunctions Learning from incidents

4.3.5

6.3.5

Disciplinary process

5 Physical and Environmental Security 5.1 7.1 Secure Area 5.1.1 7.1.1 Physical Security Perimeter 5.1.2 5.1.3 7.1.2 7.1.3 Physical entry Controls Securing Offices, rooms and facilities

5.1.4 5.1.5 5.2 5.2.1

7.1.4 7.1.5 7.2 7.2.1

Working in Secure Areas Isolated delivery and loading areas Equipment Security Equipment siting protection

5.2.2 5.2.3 5.2.4

7.2.2 7.2.3 7.2.4

Power Supplies Cabling Security Equipment Maintenance

5.2.5 5.2.6 5.3 5.3.1 5.3.2

7.2.5 7.2.6 7.3 7.3.1 7.3.2

Securing of equipment off-premises Secure disposal or re-use of equipment General Controls Clear Desk and clear screen policy Removal of property

6 Communications and Operations Management 6.1 8.1 Operational Procedure and responsibilities 6.1.1 8.1.1 Documented Operating procedures 6.1.2 6.1.3 8.1.2 8.1.3 Operational Change Control Incident management procedures

6.1.4

8.1.4

Segregation of duties

6.1.5 6.1.6

8.1.5 8.1.6

Separation of development and operational facilities External facilities management

6.2 6.2.1 6.2.2 6.3 6.3.1

8.2 8.2.1 8.2.2 8.3 8.3.1

System planning and acceptance Capacity Planning System acceptance Protection against malicious software Control against malicious software

6.4 6.4.1

8.4 8.4.1

Housekeeping Information back-up

6.4.2 6.4.3 6.5 6.5.1

8.4.2 8.4.3 8.5 8.5.1

Operator logs Fault Logging Network Management Network Controls

6.6 6.6.1 6.6.2

8.6 8.6.1 8.6.2

Media handling and Security Management of removable computer media Disposal of Media

6.6.3 6.6.4 6.7 6.7.1

8.6.3 8.6.4 8.7 8.7.1

Information handling procedures Security of system documentation Exchange of Information and software Information and software exchange agreement

6.7.2 6.7.3

8.7.2 8.7.3

Security of Media in transit Electronic Commerce security

6.7.4 6.7.5

8.7.4 8.7.5

Security of Electronic email Security of Electronic office systems

6.7.6

8.7.6

Publicly available systems

6.7.7

8.7.7

Other forms of information exchange

7 Access Control 7.1 9.1 7.1.1 9.1.1

Business Requirements for Access Control Access Control Policy

7.2 7.2.1 7.2.2 7.2.3 7.2.4 7.3 7.3.1 7.3.2 7.4 7.4.1

9.2 9.2.1 9.2.2 9.2.3 9.2.4 9.3 9.3.1 9.3.2 9.4 9.4.1

User Access Management User Registration Privilege Management User Password Management Review of user access rights User Responsibilities Password use Unattended user equipment Network Access Control Policy on use of network services

7.4.2 7.4.3 7.4.4 7.4.5 7.4.6 7.4.7 7.4.8 7.4.9 7.5 7.5.1 7.5.2 7.5.3

9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.4.8 9.4.9 9.5 9.5.1 9.5.2 9.5.3

Enforced path User authentication for external connections Node Authentication Remote diagnostic port protection Segregation in networks Network connection protocols Network routing control Security of network services Operating system access control Automatic terminal identification Terminal log-on procedures User identification and authorisation

7.5.4 7.5.5 7.5.6 7.5.7 7.5.8

9.5.4 9.5.5 9.5.6 9.5.7 9.5.8

Password management system Use of system utilities Duress alarm to safeguard users Terminal time-out Limitation of connection time

7.6 7.6.1 7.6.2 7.7 7.7.1 7.7.2

9.6 9.6.1 9.6.2 9.7 9.7.1 9.7.2

Application Access Control Information access restriction Sensitive system isolation Monitoring system access and use Event logging Monitoring system use

7.7.3 7.8 7.8.1 7.8.2

9.7.3 9.8 9.8.1 9.8.2

Clock synchronisation Mobile computing and teleworking Mobile computing Teleworking

8 System development and maintenance 8.1 10.1 Security requirements of systems 8.1.1 10.1.1 Security requirements analysis and specification

8.2 8.2.1 8.2.2

10.2 Security in application systems 10.2.1 Input data validation 10.2.2 Control of internal processing

8.2.3 8.2.4 8.3 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.4 8.4.1 8.4.2 8.4.3 8.5 8.5.1 8.5.2 8.5.3

10.2.3 Message authentication 10.2.4 Output data validation 10.3 Cryptographic controls 10.3.1 Policy on use of cryptographic controls 10.3.2 Encryption 10.3.3 Digital Signatures 10.3.4 Non-repudiation services 10.3.5 Key management 10.4 10.4.1 10.4.2 10.4.3 10.5 10.5.1 10.5.2 Security of system files Control of operational software Protection of system test data Access Control to program source library Security in development and support process Change control procedures Technical review of operating system changes

10.5.3 Technical review of operating system changes

8.5.4 8.5.5

10.5.4 Covert channels and Trojan code 10.5.5 Outsourced software development

9 Business Continuity Management 9.1 11.1 Aspects of Business Continuity Management 9.1.1 11.1.1 Business continuity management process 9.1.2 11.1.2 Business continuity and impact analysis

9.1.3 9.1.4

11.1.3 Writing and implementing continuity plan 11.1.4 Business continuity planning framework

9.1.5

11.1.5 Testing, maintaining and re-assessing business continuity plan

10 Compliance 10.1 10.1.1 10.1.2

12.1 Compliance with legal requirements 12.1.1 Identification of applicable legislation 12.1.2 Intellectual property rights (IPR)

10.1.3 10.1.4 10.1.5 10.1.6 10.1.7 10.2 10.2.1 10.2.2 10.3 10.3.1 10.3.2

12.1.3 Safeguarding of organisational records 12.1.4 Data protection and privacy of personal information 12.1.5 Prevention of misuse of information processing facility 12.1.6 12.1.7 12.2 12.2.1 12.2.2 Regulation of cryptographic controls Collection of evidence Reviews of Security Policy and technical compliance Compliance with security policy Technical compliance checking

12.3 System audit considerations 12.3.1 System audit controls 12.3.2 Protection of system audit tools

Audit Question

Whether there exists an Information security policy, which is approved by the management, and commitment communicated as appropriate Whether it states the published management and set out the to all organisational approach to managing information Whether the Security policy has an owner, who is security. responsible for its maintenance and review according a defined review Whether the process ensures that ato review takes placeprocess. in response to any changes affecting the basis of the original assessment, example: Whether there is a management forum to ensure there is a clear direction and visible management support formanagement security initiatives within Whether there is a cross-functional forum of representatives from relevant parts of the organisation coordinate Whether responsibilities for the protection of individual to assets and for carrying out specific security processes were clearly defined. Whether there is a management authorisation process in place for any new information processing facility. This should allwhere new Whether specialist information security advice is include obtained appropriate. A specific individual may be identified to co-ordinate in-house knowledge and experiences towith ensure provide help in Whether appropriate contacts law consistency, enforcement and authorities, regulatory bodies, information service providers telecommunication Whether the implementation of security policy is and reviewed independently on regular basis. This is to provide assurance that Whether risks from third party access are identified and appropriate security controls implemented. Whether the types of accesses are identified, classified and reasons for access are justified. Whether security risks with third party contractors working onsite was identified there and appropriate implemented. Whether is a formal controls contract are containing, or referring to, all the security requirements to ensure compliance with the organisations Whether security requirements are addressed in the contract with the third party, when the address organisation outsourced the management and The contract should how has the legal requirements are to be met, how the security of the organisations assets are maintained and Whether an inventory or register is maintained with the important assets associated with each information system. Whether each asset identified has an owner, the security classification defined and agreed and the location identified. Whether there is an Information classification scheme or guideline in place; which will assist inset determining how are the information is to be Whether an appropriate of procedures defined for information labelling and handling in accordance with the classification scheme

Whether security roles and responsibilities as laid in Organisations information policy isresponsibilities documented where appropriate. or This should security include general for implementing maintaining security policy as well as specific responsibilities Whether verification checks on permanent staff were carried for out at the time should of job applications. This include character reference, confirmation of claimed academic and professional qualifications and independent identity Whether employees are asked to sign Confidentiality or non-disclosure agreement asagreement a part of their initial terms andof conditions of the Whether this covers the security the information processing facility and organisation assets. Whether terms and conditions of the employment covers the employees responsibility for information security. Where appropriate, Whether all employees of the organisation and third party users (where relevant) receive appropriate Information Security training and regular Whether a formal reporting procedure exists, to report security incidents a through management channels as quickly as to Whether formal appropriate reporting procedure or guideline exists for users, report security weakness in, or threats to, systems or services. Whether procedures were established to report any software malfunctions. Whether there are mechanisms in place to enable the types, volumes and costs of incidents and malfunctions to be quantified and monitored.

Whether there is a formal disciplinary process in place for employees who have violated organisational security policies and procedures.

What physical border security facility has been implemented to protect the Information processing service. Some examples of such security facility are card control entry gate, walls, manned reception etc., What entry controls are in place to allow only authorised personnel into various areas within organisation. Whether the rooms, which have the Information processing service, are locked orInformation have lockable cabinetsservice or safes. Whether the processing is protected from natural and man-made disaster. Whether there is any potential threat from neighbouring premises. The information is only on need to know basis. Whether there exists any security for third parties or for personnel working in secure Whether the control delivery area and information processing area are isolated from each to avoid any unauthorised Whether a other risk assessment was conductedaccess. to determine the security in such areas. Whether the equipment was located in appropriate place to minimise unnecessary access into work areas. Whether the items requiring special protection were isolated to reduce the general level of protection required. Whether controls were adopted to minimise risk from potential threats such as theft, smoke, water, dist, vibration, chemical Whether therefire, is aexplosives, policy towards eating, drinking and smoking on in proximity environmental to information processing services. Whether conditions are monitored which would adverselythe affect the information processing facilities. Whether equipment is protected from power failures by using permanence of power supplies such as multiple feeds, uninterruptible Whether the power and telecommunications cable carrying data or supporting information are protected fromin interception or Whether there are any services additional security controls place for sensitive or critical the information. Whether equipment is maintained as per the suppliers recommended service intervals and specifications. Whether the maintenance is carried out only by authorised personnel. Whether logs are maintained with all suspected or actual faults and all preventive and corrective measures. Whether appropriate controls are implemented while sending equipment off premises. If the equipment is covered by insurance, whether the insurance requirements are satisfied. Whether any equipment usage outside an organisations premises for information processing has to be by the management. Whether the security provided forauthorised these equipments while outside the premisesstorage are on par withcontaining or more than the security provided the Whether device sensitive information are inside physically destroyed or securely over written. Whether automatic computer screen locking facility is enabled. This would lock the screen when the computer is left unattended for a in Whether employees are advised to leave any confidential material the form of paper documents, media etc., in a locked manner while Whether equipment, information or software can be taken offsite without appropriate authorisation. Whether spot checks or regular audits were conducted to detect unauthorised removal ofaware property. Whether individuals are of these types of spot checks or regular audits.

Whether the Security Policy has identified any Operating procedures such as Back-up, Equipment etc., used. Whether such procedures are maintenance documented and Whether all programs running on production systems are subject to strict change control i.e., any change to be change made to thoseto production Whether audit logs are maintained for any made the production programs. Whether an Incident Management procedure exist to handle security incidents. Whether the procedure addresses the incident management responsibilities, orderly and quick response security incidents. Whether the procedure addresses different to types of incidents ranging from denial of service toand breach confidentiality etc., and ways to Whether the audit trails logsof relating to the incidents are maintained and and proactive taken in a are wayseparated that the incident doesnt Whether duties areasaction of responsibility in order to reduce opportunities for unauthorised modification or misuse of

Whether the development and testing facilities are isolated from operational facilities. For example development software should run on Whether any of the Information processing facility is managed by external company or contractor (third party). Whether the risks associated with such management is identified in advance, necessary discussed approval with the third party and appropriate controls were Whether is obtained from business and application owners. Whether the capacity demands are monitored and projections of future capacity requirements are made. This RAM, is to ensure that adequate Example: Monitoring Hard disk space, CPU on critical servers. Whether System acceptance criteria are established for new information systems, upgrades and new versions. Whether suitable tests were carried out prior to acceptance. Whether there exists any control against malicious software usage. Whether the security policy does address software licensing issues such as prohibiting usage of unauthorised software. Whether there exists any Procedure to verify all warning bulletins are accurate and informative with regards to the malicious software usage. Whether Antivirus software is installed on the computers to check and isolate or this remove any viruses from computer and media.basis to check Whether software signature is updated on a regular any latestall viruses. Whether the traffic originating from un-trusted network in to the organisation is checked for viruses. Example: Checking for viruses on Whether Back-up of essential business information such as production server, critical network components, configuration backup etc., were Example: Mon-Thu: Incremental Backup and Fri: Full Backup. Whether the backup media along with the procedure to restore the backup are stored securely well away from the actual that site.they Whether the backup media and are regularly tested to ensure could be restored within the maintain time frame allotted in the operational Whether Operational staffs a log of their activities such as name of the person, errors, corrective action etc., Whether Operator logs are checked on regular basis against the Operating procedures. Whether faults are reported and well managed. This includes corrective action being taken, review of the fault logs and checking the actions Whether effective operational controls such as separate network and system administration facilities were be established where of necessary. Whether responsibilities and procedures for management remote equipment, including equipment in user areas were established. Whether there exist any special controls to safeguard confidentiality and integrity of data processing over the public network and to protect Whether there exist a procedure for management of removable computerthe media such as tapes, disks, required cassettes, memory cards Whether media that are no longer are disposed off and securely and safely. Whether disposal of sensitive items are logged where necessary in order to maintain an audit trail. Whether there exists a procedure for handling the storage of information. Does this procedure address issues such as information Whether the system documentation is protected from unauthorised access. Whether the access list for the system documentation is kept to minimum and authorised by the application owner. Example: System Whether there exists any formal or informal agreement between the organisations for exchange of information and software. Whether the agreement does addresses the security issues based on the sensitivity of the business information involved. taken into account. Whether security of media while being transported Whether the media is well protected from unauthorised access, misuse or corruption. Whether Electronic commerce is well protected and controls implemented to protect against activity, contract dispute and Whether Security controls such fraudulent as Authentication, Authorisation are considered in the ECommerce environment. between trading partners Whether electronic commerce arrangements include a there documented agreement, which commits both parties to the Whether is a policy in place for the acceptable use of electronic mail or does security policy does address the isolating issues with regards to Whether controls such as antivirus checking, potentially unsafe attachments, spam control, anti relaying etc., are inof place to Whether there is an Acceptable use policy to address theput use Electronic office systems.

Whether there are any guidelines in place to effectively control the business and security risks associated with the electronic office Whether there is any formal authorisation process in place for the information to be made publicly in available. asthe approval from Whether there are any controls place toSuch protect integrity of such information publicly available from any unauthorised access. This might include controls such as firewalls, Operating system hardening, any are Intrusion detection type of tools used to in monitor the Whether there any policies, procedures or controls place to protect the exchange of information through the use of voice, facsimile Whether staffs are reminded to maintain the confidentiality of sensitive information while using such forms of information exchange facility. Whether the business requirements for access control have been defined and Whether thedocumented. Access control policy does address the rules and rights for each user or users a group of service user. providers were given a clear statement Whether the and of the business requirement to be met by access controls. Whether there is any formal user registration and de-registration procedure forallocation granting access to multi-user information systems and Whether the and use of any privileges in multi-user information system environment restricted and controlled i.e., The allocation and reallocation ofis passwords should be controlled through athe formal management process. Whether users are asked to sign a statement to keep the password confidential. Whether there exist a process to review user access rights at regular intervals. Example: Special privilege review every 3 months, normal Whether there are any guidelines in place to guide users in selecting and maintaining secure passwords.are made aware of the security Whether the users and contractors requirements and procedures for as Example: Logoff when session is protecting finished orunattended set up auto equipment, log off, terminate sessions when finished etc., Whether there exists a policy that does address concerns relating to networks and network services such as: Parts of network to be accessed, Authorisation services to determine who is allowed to do what, Procedures to protect the access to network connections and network services. Whether there is any control that restricts the route between the user terminal the designated computer services the user is authorised Whetherand there exist any authentication mechanism for challenging external connections. Examples: Cryptography based technique, hardware tokens, software tokens, challenge/ response protocol etc., Whether connections to remote computer systems that are outside organisations security management are authenticated. Node i.e., Whether accesses to diagnostic ports are securely controlled protectedthe by a security mechanism. Whether network (where business partners and/ or third parties need access toexists information system) is segregated using Whether there any network connection control for perimeter shared networks there that extend beyond the control organisational boundaries. Example: Whether exist any network to ensure that computer connections and information flows do not breach the access control Whether the routing controls are based on the positive source and destination identification mechanism. Example: Network Whether the organisation, using public or private networkAddress service does ensure that a clear description of security attributes of all services used Whether automatic terminal identification mechanism is used to authenticate connections. Whether access to information system is attainable only via a secure log-on process. Whether there is a procedure in place for logging in to an information system. This is to minimise opportunity of unauthorised Whether unique identifier is the provided to every user such as access. operators, system administrators and all otheronly staff including technical. The generic user accounts should be supplied under exceptional circumstances where there is a clear business Additional Whether the authentication method used does benefit. substantiate the claimed identity ofthere the user; commonly used method: Password only the Whether exists a password management system that enforces various password controls such individual password for Whether the system utilities that as: comes with computer installations, but may override system application control is tightly Whether provision of and a duress alarm is considered forcontrolled. users who might be the target of coercion. Inactive terminal in public areas should be configured to clear the screen orthere shut down automatically a defined time period of inactivity. Whether exist any restriction after on connection for high-risk applications. This type of set up should be considered for sensitive

Whether access to application by various groups/ personnel within the organisation should be defined the access policy as per the Whether sensitive systems are in provided with control isolated computing environment such as running on a dedicated computer, share Whether audit logs recording exceptions and other security relevant events are produced and kept for an agreed period to assist in future Whether procedures are set up for monitoring the use of information processing facility. The procedure should ensure that the users are performing only the activities that are explicitly Whether the results of the authorised. monitoring activities are reviewed regularly. Whether the computer or communication device has the capability of operating a real time it shouldclock be set an agreed standard such The correct setting ofclock, the computer is to important to ensure the accuracy of the audit logs. Whether a formal policy is adopted that takes into account the risks of working with computing facilities such as notebooks, palmtops etc., Whether trainings were arranged for staff to use mobile computing facilities to raise their awareness on the additional risks resulting from Whether there is any policy, procedure and/ or standard to control teleworking activities, this should be consistent with organisations Whether suitable protection of teleworking site is in place against threats such as theft of equipment, unauthorised disclosure of Whether security requirements are incorporated as part of business requirement statementand for new systems or forshould enhancement to existing Security requirements controls identified reflect business value of information assets are involved and the consequence from failure Whether risk assessments completed prior to commencement of system development. Whether data input to application system is validated to ensure that it is correct and appropriate. Whether the controls such as: Different type of inputs to check for error messages, Procedures for responding validation errors, defining Whether areas of risks are identified in to the processing cycle and validation checks were included. In some cases the data that been Whether appropriate controls are identified for applications to has mitigate fromcontrols risks during internal on processing. The will depend nature of application and business impact of any corruption of data. of security risk was carried out to determine if Whether an assessment required; and to identify most appropriate Message authentication is a technique used to detect unauthorised changes to, or corruption of, the contents of the transmitted electronic Whether the data output of application system is validated to ensure that the processing of stored information is correct and appropriate to Whether there is a Policy in use of cryptographic controls for protection information is in place. Whether aof risk assessment was carried out to identify the level of protection the information should be given. Whether encryption techniques were used to protect the data. Whether assessments were conducted to analyse the sensitivity of the data and Digital the level of protection needed. Whether signatures were used to protect the authenticity and integrity of electronic documents. Whether non-repudiation services were used, where it might be necessaryDispute to resolve disputes about occurrence or non-occurrence of Example: involving use of a digital signature on an electronic payment or contract. Whether there is a management system is in place to support the organisations use of cryptographic techniques such as Secret Whether the Key management system is based on agreed set key of standards, procedures and secure methods. Whether there are any controls in place for the implementation of software on operational systems. This is to controlled. minimise the risk of of Whether system test data is protected and The use operational database containing personal information should be Whether strict controls are in place over access to program source libraries. This is to reduce the potential for corruption of computer Whether there are strict control procedures in place over implementation of changes to procedure the information system. This is to Whether there are process or in place to ensure application system is reviewed and tested after change in operating system. Periodically it is necessary to upgrade operating system i.e., to install service packs, hot fixes etc., Whether there patches, are any restrictions in place to limit changes to software packages. As far as possible the vendor supplied software packages should be used without modification. If changes are deemed essential the original

Whether there are controls in place to ensure that the covert channels and Trojan codescan are expose not introduced into new or upgraded system. A covert channel information by some indirect and obscure means. Trojan code is designed to affect a system in a way that Whether there are controls in place over outsourcing software. is not The points to be noted includes: Licensing arrangements, escrow arrangements, contractual requirement for quality assurance, testing Whether there is a managed process in place for developing and maintaining business continuity throughout the organisation. This might include Organisation wide Business continuity plan, regular testing and updating the cause plan, formulating and a Whether events that of could interruptions to documenting business process were identified equipment failure, flood and fire.impact of Whether a risk example: assessment was conducted to determine such interruptions. Whether a strategy plan was developed based on the risk assessment results to plans determine overall approach business continuity.within Whether were an developed to restoreto business operations the required following an and interruption or failure to business Whether the time plan frame is regularly tested updated. Whether there is a single framework of Business continuity plan. Whether this framework is maintained to ensure that all plans are consistent and identify priorities for testing and maintenance. Whether this identifies conditions for activation and individuals responsible for executing each component of the plan. to ensure that Whether Business continuity plans are tested regularly they are up to date and effective. Whether Business continuity plans were maintained by regular reviews and updates to ensure their continuing effectiveness. Whether procedures were included within the organisations change management programme to ensure that Business continuity matters Whether all relevant statutory, regulatory and contractual requirements were explicitly defined andand documented each information system. Whether specific controls individual for responsibilities to meet these requirements were and documented. Whether there existdefined any procedures to ensure compliance with legal restrictions on use of material in respect of which there may be Whether the procedures are well implemented. Whether proprietary software products are supplied under a license agreement that limits the use the products tois specified machines. Whether important records of of the organisation protected from loss destruction andis falsi function. Whether there a management structure and control in place to protect data privacy of personal information. Whether useand of information processing facilities for any non-business or unauthorised purpose, withoutmessage management approvalon is the treated as Whether at the log-on a warning is presented computerthe screen indicating that the system being is private and Whether regulation of cryptographic control is entered as per the sector and national agreement. Whether the process involved in collecting the evidence is in accordance with legal and industry best practise. Whether all areas within the organisation is considered for regular review to information ensure compliance security policy, standards and Whether systemswith were regularly checked for compliance with security implementation standards. Whether the technical compliance check is carried out by, or under the supervision of, competent, authorised persons. Whether audit requirements and activities involving checks on operational systems shouldaudit be carefully planned and agreed to files are Whether access to system tools such as software or data protected to prevent any possible misuse or compromise.