During an ISO 27001 audit, the CEO may be asked questions related to how the company decides CAPEX issues, determines forward strategy and business plans, and determines product and market strategies. The CEO should also be quizzed on areas such as IT outsourcing and its effect on the cybersecurity program, the adequacy of cybersecurity technology, insider threats, access controls, data security and protection regulations and other related topics. Additionally, the CEO should be made aware of cybersecurity risks and how to navigate them.

  1. Can you describe the company’s overall approach to information security and data protection?
  2. How does the company ensure compliance with relevant laws and regulations, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS)?
  3. How does the company handle incidents and breaches, and what measures are in place to prevent them from occurring?
  4. How does the company ensure the security of its networks and systems, including the protection of sensitive data and the prevention of unauthorized access?
  5. Can you describe the company’s policies and procedures for managing and protecting sensitive information, and how are employees trained on these policies?
  6. How does the company regularly assess and manage information security risks, and how are risks communicated to relevant stakeholders?
  7. Can you provide examples of how the company has implemented controls to meet the requirements of the ISO 27001 standard?
  8. How does the company regularly review and update its information security management system to ensure its ongoing effectiveness?
  9. Can you describe any challenges or areas for improvement in the company’s information security practices, and how are these being addressed?
Categories: ISO-27001/27002