4RHD Solutions
Book a consultation
Paid ISO / GRC assessment

A full ISO 27001 readiness intake for evidence-backed GRC decisions.

This is the detailed intake for a paid practitioner-led readiness assessment. Use it when you need control answers, evidence notes, scope signals, and a roadmap that can support certification, audit, or customer-review conversations.

Start with free pulse checkScope paid assessment
93 ISO 27001 controls
Evidence notes captured
Paid practitioner review

Evidence baseline

Capture the control answers, notes, owners, and evidence references needed to begin a serious readiness review.

Gap prioritization

Separate urgent certification blockers from lower-value documentation cleanup so the roadmap is commercially useful.

Executive output

Use the intake to shape a paid findings report, implementation sequence, and leadership-ready next-step plan.

Respondent information

Tell us who is completing the intake.

Required fields tie the responses to the right organization, owner, and assessment date.

Control questionnaire

Review the ISO 27001 control families.

Select the closest answer and add evidence notes where useful. Notes should point to policy locations, system exports, owners, known gaps, or evidence you want reviewed.

A.5 family

Organizational controls

Governance, policy, roles, asset ownership, supplier risk, incident management, continuity, privacy, and compliance obligations.

0 / 37
Control A.5.1Q1
Are information security policies established, approved by management, communicated, and reviewed at planned intervals?
Control A.5.2Q2
Are information security roles and responsibilities defined and allocated?
Control A.5.3Q3
Is segregation of duties implemented to reduce opportunities for unauthorized or unintentional modification?
Control A.5.4Q92
Are management responsibilities for information security defined and allocated?
Control A.5.5Q4
Are contacts with relevant authorities maintained?
Control A.5.6Q5
Are contacts with special interest groups and professional associations maintained?
Control A.5.7Q6
Is threat intelligence collected and analyzed?
Control A.5.8Q7
Is information security incorporated in project management?
Control A.5.9Q8
Is an inventory of information and information-processing facilities maintained?
Control A.5.10Q9
Is acceptable use of information and assets defined and documented?
Control A.5.11Q10
Are procedures for the return of organizational assets upon termination established?
Control A.5.12Q11
Is information classified according to legal, value, criticality, and sensitivity criteria?
Control A.5.13Q12
Are information labeling procedures developed and implemented?
Control A.5.14Q13
Are information transfer policies and procedures established?
Control A.5.15Q14
Are access control policies established, documented, and reviewed?
Control A.5.16Q15
Is identity management for personnel and entities accessing systems implemented?
Control A.5.17Q16
Are authentication methods appropriate to access control policy?
Control A.5.18Q17
Are access rights reviewed at regular intervals?
Control A.5.19Q18
Is information security addressed in supplier agreements?
Control A.5.20Q93
Is information security addressed within supplier agreements?
Control A.5.21Q19
Is information security in the ICT supply chain managed?
Control A.5.22Q20
Are supplier service delivery monitored, reviewed, and audited?
Control A.5.23Q21
Is information security for use of cloud services defined and implemented?
Control A.5.24Q22
Is an information security incident management plan established?
Control A.5.25Q23
Are information security events assessed and classified?
Control A.5.26Q24
Are information security incidents responded to appropriately?
Control A.5.27Q25
Is evidence relating to information security events collected and preserved?
Control A.5.28Q26
Is evidence collection conducted according to procedures?
Control A.5.29Q27
Is information security addressed during disruption?
Control A.5.30Q28
Are ICT systems prepared for business continuity?
Control A.5.31Q29
Are legal, statutory, regulatory, and contractual requirements identified?
Control A.5.32Q30
Are intellectual property rights protected?
Control A.5.33Q31
Are records protected from loss, destruction, and falsification?
Control A.5.34Q32
Are privacy and protection of personally identifiable information ensured?
Control A.5.35Q33
Is information security independently reviewed at planned intervals?
Control A.5.36Q34
Are policies and procedures for information security regularly reviewed?
Control A.5.37Q35
Are documented operating procedures for information security established?
A.6 family

People controls

Employment screening, contractual responsibilities, awareness, disciplinary process, remote work, and security event reporting.

0 / 8
Control A.6.1Q36
Are background verification checks conducted on all candidates for employment?
Control A.6.2Q37
Do employment contracts include information security responsibilities?
Control A.6.3Q38
Are information security awareness, education, and training programs conducted?
Control A.6.4Q39
Is a disciplinary process for information security violations established?
Control A.6.5Q40
Are responsibilities defined for termination or change of employment?
Control A.6.6Q41
Are confidentiality or non-disclosure agreements established?
Control A.6.7Q42
Is remote working security implemented?
Control A.6.8Q43
Are information security events reported through appropriate channels?
A.7 family

Physical controls

Facility protection, physical entry, environmental safeguards, secure areas, equipment handling, utilities, and disposal.

0 / 14
Control A.7.1Q44
Are physical security perimeters defined and used?
Control A.7.2Q45
Are physical entry controls implemented?
Control A.7.3Q46
Are offices, rooms, and facilities secured?
Control A.7.4Q47
Is physical security monitoring conducted?
Control A.7.5Q48
Is protection against physical and environmental threats implemented?
Control A.7.6Q49
Is work conducted in secure areas?
Control A.7.7Q50
Are clear desk and clear screen policies enforced?
Control A.7.8Q51
Is equipment sited and protected appropriately?
Control A.7.9Q52
Are assets secured off-premises?
Control A.7.10Q53
Are storage media handled securely?
Control A.7.11Q54
Are supporting utilities protected from interruption?
Control A.7.12Q55
Is cabling security implemented?
Control A.7.13Q56
Is equipment maintenance conducted securely?
Control A.7.14Q57
Is secure disposal or reuse of equipment implemented?
A.8 family

Technology controls

Endpoint protection, identity, privileged access, vulnerabilities, logging, monitoring, network security, SDLC, and change control.

0 / 34
Control A.8.1Q58
Are user endpoints protected with appropriate security software?
Control A.8.2Q59
Is there a formal user access provisioning process?
Control A.8.3Q60
Are user access rights managed effectively?
Control A.8.4Q61
Is access to source code restricted?
Control A.8.5Q62
Is secure authentication implemented?
Control A.8.6Q63
Is capacity management implemented?
Control A.8.7Q64
Is protection against malware implemented?
Control A.8.8Q65
Is management of technical vulnerabilities implemented?
Control A.8.9Q66
Are configuration management procedures established?
Control A.8.10Q67
Is information deletion implemented securely?
Control A.8.11Q68
Is data masking used according to policy?
Control A.8.12Q69
Is data leakage prevention implemented?
Control A.8.13Q70
Is information backup conducted regularly?
Control A.8.14Q71
Is redundancy of information processing facilities implemented?
Control A.8.15Q72
Is logging of activities implemented?
Control A.8.16Q73
Are monitoring activities conducted?
Control A.8.17Q74
Are clocks synchronized to an approved time source?
Control A.8.18Q75
Is use of privileged utility programs controlled?
Control A.8.19Q76
Is software installation on operational systems controlled?
Control A.8.20Q77
Are networks and network services secured?
Control A.8.21Q78
Is security of network services ensured?
Control A.8.22Q79
Is network segregation implemented?
Control A.8.23Q80
Are web filtering controls implemented?
Control A.8.24Q81
Is use of cryptography planned and managed?
Control A.8.25Q82
Is the secure development life cycle implemented?
Control A.8.26Q83
Are application security requirements defined?
Control A.8.27Q84
Is secure system architecture and engineering principles applied?
Control A.8.28Q85
Is secure coding practiced?
Control A.8.29Q86
Is security testing in development and acceptance conducted?
Control A.8.30Q87
Is outsourced development supervised?
Control A.8.31Q88
Is separation of development, test, and production environments enforced?
Control A.8.32Q89
Is change management implemented?
Control A.8.33Q90
Is test information protected?
Control A.8.34Q91
Is protection of information systems during audit testing ensured?

The intake does not produce an automated certification opinion. It gives 4RHD the evidence context needed to scope and deliver the paid readiness review.