Internal Audit Checklist
ISO/IEC 27701 Toolkit: Version 1 ©CertiKit [Type here]
[Type here]
[Type here]
Internal Audit Checklist
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This is a checklist to be used as a prompter for questions during an internal audit.
Areas of the standard addressed The main areas of the ISO/IEC 27701 standard addressed by this document are: •
All areas
General guidance When conducting an internal audit, it can be useful to have a list of standard questions to ask, organized according to the sections of the ISO/IEC 27701 standard. This makes the audit more interesting than simply reading the requirements from a spreadsheet. It’s possible that any one audit will not cover all parts of the standard so you may need to edit this checklist to cover the areas you need. You may also like to add further questions to the lists, depending on the type of organization you are auditing. At each stage, it is important that evidence is reviewed and recorded to prove that procedures etc. are in place.
Review frequency We would recommend that this document is reviewed annually.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
Version 1
Page 2 of 11
[Insert date]
Internal Audit Checklist
To update this field (and any others that may exist in this document): • • • •
Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). Press F9 on the keyboard to update all fields. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will
Version 1
Page 3 of 11
[Insert date]
Internal Audit Checklist
create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 11
[Insert date]
Internal Audit Checklist Audit details Audit: Audit scope: Auditors:
Audit date:
1 Clause 5. PIMS-specific requirements related to ISO/IEC 27001 1.1 Clause 5.1 General RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. Has privacy been adequately incorporated into the existing ISMS? 2. Has the documentation been updated to refer to “information security and privacy”?
PIMS-FORM-05-2 Version 1
Page 5 of 11
[Insert date]
1.2 Clause 5.2 Context of the organization RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
1. For which processing of PII does the organization act as a controller, joint controller, or processor? 2. What external and internal factors are relevant to the PIMS? 3. Which interested parties are relevant to the processing of PII?
1.3 Clause 5.4 Planning RECOMMENDED QUESTIONS 1. How are privacy risks identified and assessed? 2. Is the impact to the PII principal adequately considered? 3. Has the statement of applicability been updated to include the ISO27701 controls? 4. Which ISO27701 controls are inapplicable, if any?
PIMS-FORM-05-2 Version 1
Page 6 of 11
[Insert date]
2 Annex A – PIMS-specific reference control objectives and controls (PII Controllers) 2.1 A.7.2 Conditions for collection and processing RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. For what specific purposes is PII processed? 2. Which lawful bases are used to justify the processing? 3. Tell me how consent is obtained and recorded. 4. Please show me a recent privacy impact assessment. 5. Are written contracts in place with all PII processors? 6. What records are kept about PII processing?
2.2 A.7.3 Obligations to PII principals RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What information is provided to PII principals at the point of collection of PII? 2. How do PII principals exercise their rights under applicable legislation?
PIMS-FORM-05-2 Version 1
Page 7 of 11
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
3. Can we look at a recent request and how it has been handled? 4. How do you communicate with third parties with whom you have shared PII regarding PII principal requests?
2.3 A.7.4 Privacy by design and privacy by default RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How is privacy incorporated into new processes and systems? 2. How long is PII retained for, and what happens when the retention period expires? 3. What controls are used when PII is transmitted outside the organization?
2.4 A.7.5 PII sharing, transfer and disclosure RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What transfers of PII take place? 2. What is the legal basis for each transfer?
PIMS-FORM-05-2 Version 1
Page 8 of 11
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
3. Can we see what disclosures of PII have been made recently?
PIMS-FORM-05-2 Version 1
Page 9 of 11
[Insert date]
3 Annex B – PIMS-specific reference control objectives and controls (PII Processors) 3.1 B.8.2 Conditions for collection and processing RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. Please show me a customer agreement for the processing of PII. 2. How do you ensure that customer PII is not used for unauthorised purposes? 3. How do you help customers demonstrate compliance with privacy legislation? 4. Please show me your records related to processing PII.
3.2 B.8.3 Obligations to PII principals RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How do you help your customers manage requests from PII principals?
PIMS-FORM-05-2 Version 1
Page 10 of 11
[Insert date]
3.3 B.8.4 Privacy by design and by default RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How are temporary files containing PII managed? 2. What happens to PII when a customer ends their contract? 3. How is PII sent over a network protected?
3.4 B.8.5 PII sharing, transfer and disclosure RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How does the customer know where their PII is stored and processed? 2. How often is PII disclosed to third parties, and how is this managed? 3. What is the process for managing the engagement of sub-processors?
PIMS-FORM-05-2 Version 1
Page 11 of 11
[Insert date]