ISMS-FORM-09-4 Internal Audit Checklist by CertiKit Limited

Internal

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This is a checklist to be used as a prompter for questions during an internal audit.

Areas of the standard addressed

The main areas of the ISO/IEC 27001 standard addressed by this document are:

• 9. Performance evaluation

o 9.2 Internal audit

• A.5 Organizational controls

o A.5.35 Independent review of information security

General guidance

When conducting an internal audit, it can be useful to have a list of standard questions to ask, organized according to the sections of the ISO/IEC 27001 standard. This makes the audit more interesting than simply reading the requirements from a spreadsheet. It is possible that any one audit will not cover all parts of the standard so you may need to edit this checklist to cover the areas you need. You may also like to add further questions to the lists, depending on the type of organization you are auditing.

At each stage, it is important that evidence is reviewed and recorded to prove that procedures etc. are in place.

Review frequency

We would recommend that this document is reviewed annually.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Except for any specifically identified third-party works included, this document has been authored by CertiKit and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any thirdparty copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Internal Audit Checklist

ISMS-FORM-09-4 Version 1

DOCUMENT CLASSIFICATION [Insert classification]

DOCUMENT REF ISMS-FORM-09-4

VERSION 1

DATED [Insert date]

DOCUMENT AUTHOR [Insert name]

DOCUMENT OWNER [Insert name/role]

5 of 28 [Insert date]

1 Audit details

AUDIT

AUDIT SCOPE

AUDITOR(S)

DATE OF AUDIT

2 Clause 4: Context of the Organization

2.1 Clause 4.1: Understanding the organization and its context

RECOMMENDED QUESTIONS

1. What are the internal and external issues that are relevant to the ISMS?

2. How do they affect its ability to achieve its intended outcome?

2.2 Clause 4.2: Understanding the needs and expectations of interested parties RECOMMENDED

1. Who are the interested parties?

2. What are their requirements?

3. How have their requirements been established?

2.3 Clause 4.3: Determining the scope of the ISMS

RECOMMENDED QUESTIONS

1. What is the ISMS scope?

2. How is it defined?

3. Is it reasonable?

4. Does it consider relevant issues and requirements?

5. Does it consider how the organization interacts with other organizations?

6. Is the scope documented?

3 Clause 5: Leadership

3.1 Clause 5.1: Leadership and Commitment

1. Who is defined as top management within the scope of the ISMS?

2. How does top management demonstrate leadership and commitment?

3. Are information security policies and objectives established?

4. Are enough resources allocated to the ISMS?

5. How does top management communicate to everyone involved in the ISMS?

3.2 Clause 5.2: Policy

RECOMMENDED QUESTIONS

1. Can I review the information security policy?

2. Is it appropriate and cover the required areas?

3. Does it include the required commitments?

4. How has it been communicated and distributed and to whom?

3.3 Clause 5.3: Organizational roles, responsibilities and authorities

RECOMMENDED QUESTIONS

1. What are the roles within the ISMS?

2. Are roles and responsibilities documented, for example in an organization chart?

3. Does everyone understand what their responsibilities and authorities are?

4. Who has the responsibility and authority for conformance and reporting?

4 Clause 6: Planning

4.1 Clause 6.1: Actions to address risks and opportunities

RECOMMENDED QUESTIONS

1. Is there a documented risk assessment process?

2. Does it address risk acceptance criteria and when assessments should be done?

3. Are risks and opportunities to the ISMS identified and evaluated?

4. Are interested party requirements and internal and external issues considered?

5. What is the most recent risk assessment?

6. Does it identify a reasonable set of risks and specify owners?

7. Are the likelihood and impact of risks assessed appropriately and risk levels determined?

8. How are the risks then evaluated and prioritized?

9. Is there a documented risk treatment process?

10. Review the most recent risk treatment plan.

11. Are reasonable risk treatment options selected?

12. Are the controls chosen to treat the risks stated clearly?

13. Has a Statement of Applicability been produced and are inclusions and exclusions reasonable?

14. Has the risk treatment plan been signed off by the risk owners?

4.2 Clause 6.2: Information security objectives and planning to achieve them

4.1 Clause 6.3 Planning of changes

1. Is there a process in place for the planning of changes to the ISMS?

2. Has the process been followed for recent changes?

5 Clause 7: Support

5.1 Clause 7.1: Resources

5.2 Clause 7.2: Competence

RECOMMENDED

1. Have the necessary competences been determined?

2. How has the competence of the people involved in the ISMS been established?

3. What actions have been identified to acquire the necessary competence?

4. Have they been completed and is there evidence of this?

5.3 Clause 7.3: Awareness

1. What approach has been taken to providing awareness of the information security policy, contribution to the ISMS and implications of not conforming?

2. Has everyone been covered?

5.4 Clause 7.4: Communication

RECOMMENDED QUESTIONS

1. How has the need for communication been established?

2. Is the approach to communication documented?

3. Is it evident that communication methods are in use?

4. Does the approach cover all areas in 7.4 a) to e)?

5.5 Clause 7.5: Documented information

RECOMMENDED QUESTIONS

1. Is all the documented information required by the standard in place?

2. Is the level of other documentation reasonable for the size of ISMS?

3. Are appropriate documentation standards –for example, identification, format – in place?

4. Are the documentation standards applied in a uniform way?

5. Are appropriate controls in place to meet 7.5.3 a) to f)?

6. How are documents of external origin handled?

6 Clause 8: Operation

6.1

Clause 8.1: Operational planning and control

RECOMMENDED QUESTIONS

1. What plans are available to review?

2. Do they cover requirements, objectives and risk treatments?

3. What planned changes have taken place recently and how were they controlled?

4. What processes are outsourced?

5. How are they controlled?

6.2 Clause 8.2: Information security risk assessment

RECOMMENDED QUESTIONS

1. What are the planned intervals for risk assessments?

2. What significant changes have happened that have prompted a risk assessment to be carried out?

6.3 Clause 8.3: Information security risk treatment

1. What is the status of the risk treatment plan(s)?

2. How is it updated?

3. How is the success of the treatment judged?

7 Clause 9: Performance evaluation

7.1 Clause 9.1: Monitoring, measurement, analysis and evaluation

RECOMMENDED QUESTIONS

1. How is it determined what should be monitored and measured?

2. Review evidence of monitoring and measurement.

3. What procedures are in place to cover monitoring and measurement in different areas?

4. How are results reported?

7.2 Clause 9.2: Internal audit

7.3 Clause 9.3: Management review

REVIEWED

RECOMMENDED QUESTIONS AUDIT FINDINGS EVIDENCE REVIEWED

1. How often are management reviews carried out?

2. Who attends them?

3. Are they minuted?

4. Review the results of the most recent one.

5. Are all areas in 9.3 a) to f) covered at management reviews?

6. Does the management review represent a reasonable assessment of the health of the ISMS?

8 Clause 10: Improvement

8.1 Clause 10.1: Continual improvement

RECOMMENDED

1. How are improvements identified?

2. Are they recorded?

3. What evidence of continual improvement can be demonstrated?

8.2 Clause 10.2: Nonconformity and corrective action RECOMMENDED

1. How are nonconformities identified?

2. How are they recorded?

3. Review the records of a recent nonconformity.

4. Was appropriate action taken to correct it and address the underlying causes?

5. Was the effectiveness of the corrective action reviewed?

9 Annex A Reference Controls (NB: not all may be applicable)

9.1

A.5 Organizational controls

RECOMMENDED

1. Review the set of policies.

2. Are they all approved?

3. Who have they been communicated to?

FINDINGS

45 Are procedures implemented to ensure compliance with intellectual property rights?

46. Are records protected in line with the understood requirements?

47. Is privacy and protection of personally identifiable information addressed adequately?

48. Is the organization’s use of cryptographic controls legal and compliant with relevant agreements?

49 How often are independent reviews of information security carried out?

50. How often do managers check their areas comply with information security policies and standards?

51. Review the most recent report on compliance of information systems with agreed information security policies.

52. To what extent are operating procedures documented?

9.2 A.6 People controls

1. What background verification checks are carried out on employment candidates?

2. How is information security covered in employment contracts?

3. How are employees and contractors made aware of, and trained in, information security issues?

4. Is there a formal disciplinary process?

5. What happens when an employee leaves, with respect to information security?

6 Are there non-disclosure agreements in place with key parties?

7 Is there a remote working policy?

8. Review the security measures in place at a specific remote working site.

9.3 A.7 Physical controls

RECOMMENDED

1. Have the physical security perimeter and secure areas been defined?

2. What physical entry controls are in place

3. What physical protections are in place to guard against natural disasters, malicious attack or accidents?

4. Are there procedures for working in secure areas?

5. What controls are in place over delivery and loading areas?

6. How is it decided where to site equipment?

7. What protection is in place from failures of supporting utilities?

8. Is important cabling protected?

9. Review equipment maintenance logs.

10. What is the procedure for taking assets offsite and how are they protected whilst offsite?

11. How is storage media disposed of securely?

12. Is there any unattended equipment that requires protection and if so, how is that provided?

13. Are desks and screens clear of sensitive information and storage media?

14. How is removable media managed, including disposal and transport?

9.4 A.8 Technological controls

RECOMMENDED QUESTIONS

1 Is there a mobile device policy?

2. What security measures are used to manage mobile device risks?