ISO 27001:2022
Information Security Management System
COMPLETE AUDIT CHECKLIST
Comprehensive Internal & External Audit Reference Document
Organization:
___________________________
Audit Date:
___________________________
Lead Auditor:
___________________________
Audit Type:
Internal ☐ External ☐
Audit Scope:
___________________________
Document Version:
1.0
HOW TO USE THIS CHECKLIST
This checklist is designed to support ISO 27001:2022 internal and external audits. Each control item should be evaluated and marked with the appropriate status.
Status Legend
Status Code
Color
Meaning
C – Conforming
E2EFDA
Requirement is fully met with adequate objective evidence
PC – Partial Conformance
FFF2CC
Requirement is partially met; minor gaps or improvements needed
NC – Non-Conforming
FCE4D6
Requirement is not met; corrective action is required
N/A – Not Applicable
F2F2F2
Requirement does not apply to the organization's scope
OFI – Opportunity for Improvement
D6E4F0
Requirement is met but an improvement opportunity has been identified
AUDIT SUMMARY SCORECARD
Complete this scorecard after all checklist items have been evaluated. Use it to report findings to management.
Clause / Section
Total
C
PC
NC
N/A
OFI
4 – Context of the Organization
9
5 – Leadership
12
6 – Planning
16
7 – Support
12
8 – Operation
9
9 – Performance Evaluation
10
10 – Improvement
7
Annex A.5 – Organizational Controls
37
Annex A.6 – People Controls
8
Annex A.7 – Physical Controls
14
Annex A.8 – Technological Controls
34
TOTAL
168
Overall Audit Conclusion: ☐ Compliant ☐ Minor NCs ☐ Major NCs ☐ Not Certified
Auditor Signature: _________________________________ Date: ________________
Clause 4 – Context of the Organization
Understanding the organization and its context, needs, and ISMS scope
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
4.1.1
Has the organization identified external issues relevant to information security (e.g., regulatory, competitive, technological, sociocultural factors)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
4.1.2
Has the organization identified internal issues relevant to information security (e.g., governance structure, organizational culture, contractual obligations)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
4.1.3
Are the internal and external issues reviewed and updated at defined intervals (e.g., during management review)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
4.2.1
Has the organization identified all interested parties relevant to the ISMS (e.g., customers, regulators, suppliers, employees, shareholders)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
4.2.2
Have the requirements of each interested party been documented and analyzed for information security implications?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
4.2.3
Are requirements of interested parties monitored and reviewed on a regular basis?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
4.3.1
Is there a documented ISMS scope that defines boundaries and applicability (products, services, locations, technology, people)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
4.3.2
Does the scope consider the interfaces and dependencies between the organization and external parties?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
4.3.3
Is the scope maintained as documented information and communicated to relevant stakeholders?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Clause 5 – Leadership
Top management commitment, information security policy, and organizational roles
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
5.1.1
Does top management demonstrate leadership by ensuring the ISMS is aligned with the organization's strategic direction?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.1.2
Has top management established an information security policy and ensured it is communicated throughout the organization?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.1.3
Does top management ensure the ISMS achieves its intended outcomes and integrates ISMS requirements into business processes?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.1.4
Are resources required for the ISMS provided and supported by top management?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.1.5
Does top management promote continual improvement and direct persons to contribute to ISMS effectiveness?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.2.1
Is there a documented information security policy approved by top management?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.2.2
Does the information security policy include security objectives, or provide a framework for setting objectives?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.2.3
Does the policy commit to satisfying applicable requirements and to continual improvement of the ISMS?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.2.4
Is the policy communicated internally and available to interested parties as appropriate?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.3.1
Are roles, responsibilities, and authorities for information security assigned and communicated throughout the organization?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.3.2
Is a designated person(s) or role responsible for ensuring the ISMS conforms to ISO 27001 requirements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
5.3.3
Is a designated person(s) or role responsible for reporting on ISMS performance to top management?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Clause 6 – Planning
Risk and opportunity management, information security objectives and planning
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
6.1.1
Has the organization determined the risks and opportunities that need to be addressed in relation to the ISMS?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.2a
Is there a documented information security risk assessment process that defines risk acceptance criteria?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.2b
Does the risk assessment process ensure comparable and reproducible results?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.2c
Are information security risks identified, including those relating to loss of confidentiality, integrity, and availability?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.2d
Are risk owners assigned for each identified risk?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.2e
Are risks analyzed to determine likelihood and impact, and are risk levels evaluated against risk acceptance criteria?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.2f
Are results of the risk assessment retained as documented information?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.3a
Is there a documented information security risk treatment process?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.3b
Are appropriate risk treatment options selected (modify, retain, avoid, share)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.3c
Is the Statement of Applicability (SoA) documented, including all Annex A controls with justification for inclusion or exclusion?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.3d
Has a risk treatment plan been formulated and approved by risk owners?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.1.3e
Are residual risks accepted by risk owners after treatment?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.2.1
Are information security objectives established at relevant functions and levels?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.2.2
Are objectives measurable (where practicable), consistent with the policy, and monitored and updated as required?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.2.3
Are plans for achieving objectives documented with resources, responsibilities, timelines, and evaluation methods?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
6.3.1
Are changes to the ISMS planned in a controlled manner, considering ISMS integrity and resource availability?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Clause 7 – Support
Resources, competence, awareness, communication, and documented information
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
7.1.1
Are the resources needed to establish, implement, maintain, and continually improve the ISMS determined and provided?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.2.1
Are competency requirements for persons doing ISMS-affecting work determined and documented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.2.2
Is education, training, or experience provided to ensure persons are competent, and are records maintained?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.2.3
Where applicable, are actions taken to acquire the necessary competence and their effectiveness evaluated?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.3.1
Are persons aware of the information security policy and how they contribute to ISMS effectiveness?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.3.2
Are persons aware of the implications of not conforming to ISMS requirements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.4.1
Has the organization determined the need for internal and external communications relevant to the ISMS (what, when, with whom, how)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.4.2
Are communication processes for information security events and incidents clearly defined?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.5.1
Does the ISMS include required documented information as defined in ISO 27001 and any additional documentation determined by the organization?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.5.2
Is documented information identified with title, date, author, reference number, and document status?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.5.3
Are processes for creating, updating, and controlling documented information established (review, approval, version control, distribution, access, retention, disposal)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
7.5.4
Is documented information of external origin identified and controlled appropriately?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Clause 8 – Operation
Operational planning, risk assessment execution, and risk treatment
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
8.1.1
Are processes needed to meet information security requirements planned, implemented, and controlled?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
8.1.2
Are plans for achieving ISMS objectives implemented and controlled?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
8.1.3
Is documented information retained to demonstrate processes are carried out as planned?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
8.1.4
Are changes to ISMS-related processes controlled, with unintended changes reviewed and actions taken to mitigate adverse effects?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
8.1.5
Are outsourced processes determined and controlled within the ISMS?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
8.2.1
Are information security risk assessments performed at planned intervals or when significant changes are proposed?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
8.2.2
Are the results of risk assessments retained as documented information?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
8.3.1
Is the information security risk treatment plan implemented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
8.3.2
Are results of the risk treatment retained as documented information?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Clause 9 – Performance Evaluation
Monitoring, measurement, internal audit, and management review
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
9.1.1
Has the organization determined what needs to be monitored and measured for the ISMS, including security processes and controls?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.1.2
Are methods for monitoring, measurement, analysis, and evaluation documented and applied to ensure valid results?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.1.3
Are monitoring and measurement performed at defined intervals and results analyzed and evaluated?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.1.4
Are results of monitoring and measurement retained as documented information?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.2.1
Is there a documented internal audit program including frequency, methods, responsibilities, and reporting requirements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.2.2
Are internal audits conducted at planned intervals by competent, impartial auditors?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.2.3
Are audit results reported to relevant management and retained as documented information?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.3.1
Does top management review the ISMS at planned intervals (at least annually)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.3.2
Does the management review consider status of previous actions, changes in context, feedback, risk assessment results, audit results, and opportunities for improvement?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
9.3.3
Are outputs of management review documented and include decisions on continual improvement, changes to the ISMS, and resource needs?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Clause 10 – Improvement
Nonconformity, corrective action, and continual improvement
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
10.1.1
When nonconformities occur, are they reacted to and controlled, and are actions taken to deal with consequences?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
10.1.2
Are root causes of nonconformities determined and corrective actions implemented to prevent recurrence?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
10.1.3
Is the effectiveness of corrective actions reviewed and verified?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
10.1.4
Are risks and opportunities updated if necessary as a result of corrective actions?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
10.1.5
Are nonconformities and corrective actions retained as documented information?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
10.2.1
Does the organization continually improve the suitability, adequacy, and effectiveness of the ISMS?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
10.2.2
Are improvement opportunities identified through audit results, monitoring, management review, and other sources?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
ANNEX A – INFORMATION SECURITY CONTROLS
The following checklist covers all 93 controls in Annex A of ISO 27001:2022. The Statement of Applicability (SoA) should be cross-referenced to determine which controls apply to your scope.
Annex A.5 – Organizational Controls (37 Controls)
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
A.5.1
Policies for information security: Are information security policies defined, approved by management, published, communicated, and reviewed at planned intervals?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.2
Information security roles and responsibilities: Are roles and responsibilities for information security clearly defined and allocated?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.3
Segregation of duties: Are conflicting duties segregated to reduce risk of unauthorized access or modification?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.4
Management responsibilities: Are all personnel required to apply information security per established policies?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.5
Contact with authorities: Are appropriate contacts maintained with relevant authorities (law enforcement, regulatory bodies)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.6
Contact with special interest groups: Are contacts maintained with special interest groups or security forums?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.7
Threat intelligence: Is information security threat intelligence collected, analyzed, and used to reduce risk?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.8
Information security in project management: Is information security integrated into project management regardless of project type?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.9
Inventory of information and associated assets: Is an inventory of information and associated assets maintained and owned?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.10
Acceptable use of information and assets: Are rules for acceptable use of information and assets identified, documented, and implemented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.11
Return of assets: Are processes in place to ensure return of assets upon termination/change of employment?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.12
Classification of information: Is information classified according to confidentiality, integrity, availability, and legal requirements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.13
Labelling of information: Is a set of procedures for information labelling developed and implemented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.14
Information transfer: Are rules for transfer of information in place for all forms (electronic, physical, verbal)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.15
Access control: Are access control rules established based on business and information security requirements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.16
Identity management: Is the full lifecycle of identities managed (provisioning, review, de-provisioning)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.17
Authentication information: Is management of authentication information (passwords, tokens, keys) controlled via a formal process?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.18
Access rights: Are access rights provisioned, reviewed, modified, and removed per policy?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.19
Information security in supplier relationships: Are processes to manage security risks associated with suppliers and partners implemented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.20
Addressing information security within supplier agreements: Are relevant information security requirements established in supplier agreements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.21
Managing information security in the ICT supply chain: Are processes in place to manage security risks in the ICT supply chain?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.22
Monitoring, review and change management of supplier services: Are supplier services regularly monitored, reviewed, and audited?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.23
Information security for use of cloud services: Are processes to acquire, use, manage, and exit cloud services established?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.24
Information security incident management planning and preparation: Is there an incident management plan with defined roles, responsibilities, and procedures?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.25
Assessment and decision on information security events: Are events assessed and classified to determine if they constitute incidents?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.26
Response to information security incidents: Are incidents responded to per documented procedures?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.27
Learning from information security incidents: Is knowledge from incidents used to strengthen controls and improve processes?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.28
Collection of evidence: Are procedures for collection, preservation, and presentation of evidence defined and followed?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.29
Information security during disruption: Is information security maintained during disruption and adverse situations?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.30
ICT readiness for business continuity: Is ICT readiness for business continuity planned, implemented, maintained, and tested?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.31
Legal, statutory, regulatory and contractual requirements: Are legal, statutory, regulatory, and contractual requirements identified and documented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.32
Intellectual property rights: Are procedures to protect intellectual property rights implemented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.33
Protection of records: Are records protected from loss, destruction, falsification, and unauthorized access?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.34
Privacy and protection of PII: Are privacy and protection of personal data ensured per applicable laws and regulations?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.35
Independent review of information security: Is the ISMS reviewed independently at planned intervals?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.36
Compliance with policies, rules and standards: Are compliance with security policies and standards regularly reviewed?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.5.37
Documented operating procedures: Are operating procedures for information processing facilities documented and available?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Annex A.6 – People Controls (8 Controls)
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
A.6.1
Screening: Are background verification checks conducted for all candidates before employment per applicable laws and regulations?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.6.2
Terms and conditions of employment: Do contracts state information security responsibilities for employees and contractors?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.6.3
Information security awareness, education and training: Are all personnel provided appropriate awareness and training on security policies relevant to their role?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.6.4
Disciplinary process: Is there a disciplinary process for personnel who violate information security policies?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.6.5
Responsibilities after termination or change of employment: Are information security responsibilities enforced after employment change or termination?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.6.6
Confidentiality or non-disclosure agreements: Are confidentiality and NDA requirements identified, documented, and signed by personnel and third parties?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.6.7
Remote working: Are policies and controls implemented to protect information accessed and processed when working remotely?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.6.8
Information security event reporting: Are personnel able to report information security events through appropriate channels promptly?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Annex A.7 – Physical Controls (14 Controls)
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
A.7.1
Physical security perimeters: Are physical perimeters (fences, walls, card-controlled gates) used to protect information processing facilities?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.2
Physical entry: Are secure areas protected by appropriate entry controls to restrict access to authorized personnel only?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.3
Securing offices, rooms and facilities: Are physical security measures designed and applied to offices, rooms, and facilities?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.4
Physical security monitoring: Are facilities continuously monitored for unauthorized access (CCTV, security guards, alarms)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.5
Protecting against physical and environmental threats: Are physical and environmental threats (fire, flood, earthquake, civil unrest) identified and mitigated?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.6
Working in secure areas: Are procedures for working in secure areas designed and implemented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.7
Clear desk and clear screen: Are clear desk and clear screen policies defined and enforced?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.8
Equipment siting and protection: Is equipment sited and protected to reduce risks from environmental threats and unauthorized access?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.9
Security of assets off-premises: Are assets taken off premises protected per assessed risk?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.10
Storage media: Are storage media managed through their lifecycle including secure disposal and sanitization?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.11
Supporting utilities: Are facilities protected from power failure and other disruptions (UPS, generators, dual feeds)?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.12
Cabling security: Are power and data cables protected from interception, interference, or damage?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.13
Equipment maintenance: Is equipment correctly maintained to ensure continued availability and integrity?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.7.14
Secure disposal or re-use of equipment: Are items of equipment verified prior to disposal or reuse to ensure all sensitive data and software have been removed?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
Annex A.8 – Technological Controls (34 Controls)
Ref.
Audit Requirement / Check Point
Audit Evidence / Notes
Status
A.8.1
User end point devices: Is information stored on, processed by, or accessible via user endpoint devices protected?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.2
Privileged access rights: Are privileged access rights restricted, managed, controlled, and reviewed?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.3
Information access restriction: Is access to information and application systems restricted per the access control policy?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.4
Access to source code: Is access to source code, development tools, and software libraries restricted?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.5
Secure authentication: Are secure authentication technologies and procedures implemented for identity and access management?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.6
Capacity management: Are resources monitored and their use projected to ensure required performance?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.7
Protection against malware: Is protection against malware implemented and supported by user awareness?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.8
Management of technical vulnerabilities: Is information about technical vulnerabilities of systems obtained and acted upon in a timely manner?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.9
Configuration management: Are configurations of hardware, software, services, and networks established, documented, implemented, and monitored?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.10
Information deletion: Is information deleted when no longer required per the retention policy?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.11
Data masking: Is data masking used in accordance with the access control policy and business requirements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.12
Data leakage prevention: Are DLP measures applied to systems and networks that process sensitive information?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.13
Information backup: Are backup copies of information taken and tested regularly in accordance with the agreed backup policy?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.14
Redundancy of information processing facilities: Is redundancy of information processing facilities implemented to meet availability requirements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.15
Logging: Are event logs recording activities, exceptions, faults, and security events produced, stored, and protected?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.16
Monitoring activities: Are networks, systems, and applications monitored for anomalous behavior?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.17
Clock synchronization: Are the clocks of information processing systems synchronized to approved time sources?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.18
Use of privileged utility programs: Is use of utility programs capable of overriding system and application controls restricted and tightly controlled?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.19
Installation of software on operational systems: Are procedures to control installation of software on operational systems implemented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.20
Networks security: Are networks managed and controlled to protect information in systems and applications?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.21
Security of network services: Are security mechanisms, service levels, and requirements for network services identified and included in agreements?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.22
Segregation of networks: Are groups of services, users, and information systems segregated in the network?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.23
Web filtering: Is access to external websites managed to reduce exposure to malicious content?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.24
Use of cryptography: Are rules for effective use of cryptography (including key management) defined and implemented?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.25
Secure development life cycle: Are rules for secure development of software and systems established and applied?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.26
Application security requirements: Are information security requirements identified, specified, and approved for new or modified applications?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.27
Secure system architecture and engineering principles: Are security engineering principles established, documented, and applied to system engineering activities?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.28
Secure coding: Are secure coding principles applied to software development?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.29
Security testing in development and acceptance: Are security testing processes defined and implemented in the development lifecycle?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.30
Outsourced development: Is outsourced system development supervised and monitored by the organization?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.31
Separation of development, test and production environments: Are development, testing, and production environments separated and secured?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.32
Change management: Are changes to information processing facilities and systems subject to change management procedures?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.33
Test information: Is test information selected, protected, and managed appropriately?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
A.8.34
Protection of information systems during audit testing: Are audit tests and activities involving assessment of operational systems planned and agreed to minimize business disruption?
□ Documents reviewed:
□ Interviews conducted:
□ Observations made:
Notes: ___________________
☐ C
☐ PC
☐ NC
☐ N/A
☐ OFI
AUDIT FINDINGS LOG
Record all nonconformities and observations identified during the audit below.
#
Ref.
Finding Type
Description
Evidence
Corrective Action
Due Date
1
☐ NC ☐ OFI ☐ OBS
2
☐ NC ☐ OFI ☐ OBS
3
☐ NC ☐ OFI ☐ OBS
4
☐ NC ☐ OFI ☐ OBS
5
☐ NC ☐ OFI ☐ OBS
6
☐ NC ☐ OFI ☐ OBS
7
☐ NC ☐ OFI ☐ OBS
8
☐ NC ☐ OFI ☐ OBS