SSO - ISO 27001 Audit Checklist

Priority
(based on ISO 27001-2013

priority of Reference
concern)
4.1 Understanding the

High organization and its
context
4.2 Understanding the

High needs and expectations
of interested parties
4.3 Determining the

High scope of the information
security management
system
4.4 Information security

High management system
5.1 Leadership and
High commitment
High 5.2 Policy

5.3 Organizational roles,
High responsibilities and
authorities
Requirement Text & related Questions (red text is not clearly addressed by the FSW SDP)
The organization shall determine external and internal issues that are relevant to its purpose and that affect its abili
intended outcome(s) of its information security management system.
NOTE Determining these issues refers to establishing the external and internal context of the organization considere
ISO 31000:2009.
Questions:
1. Show us the set of external and internal issues that affect your ability to achieve the intended outcome(s) of your
security management system.
The organization shall determine:

a) interested parties that are relevant to the information security management system; and
b) the requirements of these interested parties relevant to information security.
NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligati
Questions:
1. Show us the documented parties that are relevant to the information security management system and the requi
interested parties relevant to information security.
The organization shall determine the boundaries and applicability of the information security management system t
scope.
When determining this scope, the organization shall consider:

a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2; and
c) interfaces and dependencies between activities performed by the organization, and those that are performed by
The scope shall be available as documented information.

Questions:
1. Show us the documented scope of the information security management system, including the information listed
The organization shall establish, implement, maintain and continually improve an information security management
accordance with the requirements of this International Standard.
Questions:
1. Show us evidence that you continually improve your information security management system, in accordance wi
requirements of this International Standard.
Top management shall demonstrate leadership and commitment with respect to the information security managem
a) ensuring the information security policy and the information security objectives are established and are compatib
strategic direction of the organization;
b) ensuring the integration of the information security management system requirements into the organization’s pr
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming to the informati
management system requirements;
e) ensuring that the information security management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the information security management syste
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of respon
Questions:
1. Show us evidence information security policy and the information security objectives are established and are com
strategic direction of the organization.
2. Show us evidence that the information security management system requirements are integrated into the organi
3. Show us evidence that that the resources needed for the information security management system are available.
4. Show us evidence that leadership communicates the importance of effective information security management a
the information security management system requirements
5. Show us evidence that management ensures the information security management system achieves its intended
6. Show us evidence that management directs and supports persons to contribute to the effectiveness of the inform
management system.
7. Show us evidence that management promotes continual improvement.
8. Show us evidence that management supports other relevant management roles to demonstrate their leadership
areas of responsibility.
Top management shall establish an information security policy that:

a) is appropriate to the purpose of the organization;
b) includes information security objectives (see 6.2) or provides the framework for setting information security obje
c) includes a commitment to satisfy applicable requirements related to information security; and
d) includes a commitment to continual improvement of the information security management system.
The information security policy shall:
e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate.
Questions:
1. Show us your info sec policy and we will assess it for the content above.
2. Show us evidence that the info sec policy is available and has been communicated to the organization.
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are
communicated.
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this International St
b) reporting on the performance of the information security management system to top management.
NOTE Top management may also assign responsibilities and authorities for reporting performance of the informatio
management system within the organization.
Questions:
1. Show us evidence that the responsibilities and authorities for roles relevant to information security are assigned a
especially responsibility for ensuring the system conforms to this Standard and reporting on the system's performan
management.
Priority Auditors Notes
1
2
2
1
Evidence
pass fail Action No. [includes document review, system
content reviewed]
Priority
(based on
ISO 27001-2013 Reference
priority of
concern)
6.1 Actions to address risks

High and opportunities
6.1.1 General
6.1.2 Information security
High risk assessment
6.1.3 Information security
High risk treatment
High Table A.1, Control A.5.1.1














6.2 Information security

High objectives and planning to
achieve them
Requirement Text & related Questions (red text is not clearly addressed b
When planning for the information security management system, the organization shall consider the issues referred
determine the risks and opportunities that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects; and
c) achieve continual improvement.
The organization shall plan:

d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement the actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.
Questions:
1. Show us your list of risks and opportunities related to the topics above.
2. Show us your plan for addressing these risks and opportunities and evaluating the effectiveness of the plan.
The organization shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
1) the risk acceptance criteria; and
2) criteria for performing information security risk assessments;
b) ensures that repeated information security risk assessments produce consistent, valid and comparable results;
c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality,
of the information security management system; and
2) identify the risk owners;
d) analyses the information security risks:

1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
3) determine the levels of risk;
e) evaluates the information security risks:

1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2) prioritize the analysed risks for risk treatment.
The organization shall retain documented information about the information security risk assessment process.
Questions:
1. Show us the information secuirty risk assessment process documentation and we will assess it for the items listed
2. Show us the Risk Analysis and describe the residual risk which remains with the controls in place
The organization shall define and apply an information security risk treatment process to:
a) select appropriate information security risk treatment options, taking account of the risk assessment results;
b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
NOTE Organizations can design controls as required, or identify them from any source.
c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls ha
NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standar
controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in
objectives and controls may be needed.
d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification fo
the justification for exclusions of controls from Annex A;
e) formulate an information security risk treatment plan; and
f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual inform
The organization shall retain documented information about the information security risk treatment process.
NOTE The information security risk assessment and treatment process in this International Standard aligns with the
Questions:
1. Show us the info sec risk treatment process.
2. Show us evidence of the implemenation of the info sec risk treatment process .
3. Show us the Statement of Applicability.
A set of policies for information security shall be defined, approved by management, published and communicated
Questions:
1. Show us your policies for information security.
2. Show us evidence of management approval of these policies.
3. Show us evidence these policies are published and communicated to employees and others who need to know th
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure
Questions:
1. Show us evidence of regular reviews of your policies for info security.
2. Show us evidence of reviews of your policies for info security when significant changes have occured.
All information security responsibilities shall be defined and allocated.
Questions:
1. Show us evidence that all information security responsibilities are defined and allocated.
2. Show us this documented list of information security responsibilities and the persons/groups to whom they are a
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or uninte
assets.
Questions:
1. Show us evidence that conflicting duties and areas of responsibility are segregated.
2. Show us evidence that conflicting duties and areas of responsibility are assigned to different persons/organization
Appropriate contacts with relevant authorities shall be maintained.
Questions:
1. Show us evidence that appropriate contacts with relevant authorities are maintained (documented and kept curr
Appropriate contacts with special interest groups or other specialist security forums and professional associations s
Questions:
1. Show us evidence that appropriate contacts with special interest groups or other specialist security forums and p
kept current).
Information security shall be addressed in project management, regardless of the type of the project.
Questions:
1. Show us evidence that information security is addressed in project management, regardless of the type of the pro
2. Show us evidence of info security in project plans.
Background verification checks on all candidates for employment shall be carried out in accordance with relevant la
business requirements, the classification of the information to be accessed and the perceived risks.
Questions:
1. Show us evidence of background verification checks on all candidates for employment.
2. Show use that these background checks were carried out in accordance with relevant laws, regulations and ethics
3. Show us evidence that these background checks are proportional to the business requirements, the classification
The contractual agreements with employees and contractors shall state their and the organization’s responsibilities
Questions:
1. Show us evidence that contractual agreements with employees and contractors state their and the organization’s
contract clauses.
Management shall require all employees and contractors to apply information security in accordance with the estab
Questions:
1. Show us evidence that management requires all employees and contractors to apply information security in acco
organization.
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education a
and procedures, as relevant for their job function.
Questions:
1. Show us evidence that all employees of the organization and, where relevant, contractors receive appropriate aw
organizational policies and procedures, as relevant for their job function.
2. Show us training records, organizational briefings, and related updates.
There shall be a formal and communicated disciplinary process in place to take action against employees who have
Questions:
1. Show us your formal and communicated disciplinary process to take action against employees who have committ
Information security responsibilities and duties that remain valid after termination or change of employment shall b
and enforced.
Questions:
1. Show use evidence that information security responsibilities and duties that remain valid after termination or cha
employee or contractor and enforced.
Assets associated with information and information processing facilities shall be identified and an inventory of these
Questions:
1. Show us evidence that assets associated with information and information processing facilities are identified.
2. Show use the inventory of these assets and evidence the inventory is maintained/kept current.
Assets maintained in the inventory shall be owned.
Questions:
1. Show use evidence that assets maintained in the inventory ARE owned.
Rules for the acceptable use of information and of assets associated with information and information processing fa
Questions:
1. Show us your rules for the acceptable use of information and of assets associated with information and informati
2. Show us evidence that these rules are implemented.
All employees and external party users shall return all of the organizational assets in their possession upon terminati
Questions:
1. Show us evidence that all employees and external party users returned all of the organizational assets in their pos
or agreement.
Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclo
Questions:
1. Show us evidence that information is classified in terms of legal requirements, value, criticality and sensitivity to u
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with
organization.
Questions:
1. Show us your set of procedures for information labelling.
2. Show us evidence that these procedures are implemented in accordance with the information classification schem
Procedures for handling assets shall be developed and implemented in accordance with the information classificatio
Questions:
1. Show us your procedures for handling assets,.
2. Show us evidence that these procedures are implemented in accordance with the information classification schem
Procedures shall be implemented for the management of removable media in accordance with the classification sch
Questions:
1. Show us your procedures for the management of removable media in accordance with the classification scheme a
2. Show us evidence that these procedues are implemented.
Media shall be disposed of securely when no longer required, using formal procedures.
Questions:
1. Show us your formal procedures for media disposal.
2. Show us evidence that media is disposed of securely when no longer required usikng these formal procedures.
Media containing information shall be protected against unauthorized access, misuse or corruption during transpor
Questions:
1. Show us evidence that media containing information is protected against unauthorized access, misuse or corrupti
An access control policy shall be established, documented and reviewed based on business and information security
Questions:
1. Show us your access control policy.
2. Show us evidence that this policy is reviewed based on business and information security requirements.
Users shall only be provided with access to the network and network services that they have been specifically autho
Questions:
1. Show us evidence that users are only be provided with access to the network and network services that they have
A formal user registration and de-registration process shall be implemented to enable assignment of access rights.
Questions:
1. Show us evidence that a formal user registration and de-registration process is implemented to enable assignmen
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to
Questions:
1. Show us your formal user access provisioning process.
2. Show us evidence that this procss is implemented to assign or revoke access rights for all user types to all systems
The allocation and use of privileged access rights shall be restricted and controlled.
Questions:
1. Show us evidence that the allocation and use of privileged access rights is restricted and controlled.
The allocation of secret authentication information shall be controlled through a formal management process.
Questions:
1. Show us evidence that the allocation of secret authentication information is controlled through a formal managem
Asset owners shall review users’ access rights at regular intervals.
Questions:
1. Show us evidence that asset owners review users’ access rights at regular intervals.
The access rights of all employees and external party users to information and information processing facilities shall
contract or agreement, or adjusted upon change.
Questions:
1. Show us evidence that the access rights of all employees and external party users to information and information
their employment, contract or agreement, or adjusted upon change.
Users shall be required to follow the organization’s practices in the use of secret authentication information.
Questions:
1. Show us evidence that users are required to follow the organization’s practices in the use of secret authentication
Access to information and application system functions shall be restricted in accordance with the access control pol
Questions:
1. Show us evidence that access to information and application system functions are restricted in accordance with t
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-o
Questions:
1. Show us evidence that where required by the access control policy, access to systems and applications is controlle
Password management systems shall be interactive and shall ensure quality passwords.
Questions:
1. Show us evidence that password management systems are interactive and ensure quality passwords.
The use of utility programs that might be capable of overriding system and application controls shall be restricted an
Questions:
1. Show us evidence that the use of utility programs that might be capable of overriding system and application con
Access to program source code shall be restricted.

Questions:
1. Show us evidence that access to program source code is restricted.
A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
Questions:
1. Show us your policy on the use of cryptographic controls for protection of information.
2. Show us evidence that this policy is implemented.
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through the
Questions:
1. Show us your policy on the use, protection and lifetime of cryptographic keys.
2. Show us evidence that this policy is developed and implemented through the whole lifecycle of the keys.
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information an
Questions:
1. Show us your security perimeters used to protect areas that contain either sensitive or critical information and in
2. Show us evidence that these security perimeters are being used.
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed
Questions:
1. Show us evidence that secure areas are protected by appropriate entry controls.
Physical security for offices, rooms and facilities shall be designed and applied.
Questions:
1. Show us evidence that physical security for offices, rooms and facilities exists and is applied.
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.
Questions:
1. Show us evidence that physical protection against natural disasters, malicious attack or accidents existis and is ap
Procedures for working in secure areas shall be designed and applied.
Questions:
1. Show us your procedures for working in secure areas.
2. Show us evidence that these procedures are applied.
Access points such as delivery and loading areas and other points where unauthorized persons could enter the prem
information processing facilities to avoid unauthorized access.
Questions:
1. Show us evidence that access points such as delivery and loading areas and other points where unauthorized pers
possible, isolated from information processing facilities.
Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportuniti
Questions:
1. Show us evidence that equipment is sited and protected to reduce the risks from environmental threats and haza
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Questions:
1. Show us evidence that equipment is protected from power failures and other disruptions caused by failures in su
Power and telecommunications cabling carrying data or supporting information services shall be protected from int
Questions:
1. Show us evidence that power and telecommunications cabling carrying data or supporting information services is
Equipment shall be correctly maintained to ensure its continued availability and integrity.
Questions:
1. Show us evidence that equipment is correctly maintained to ensure its continued availability and integrity.
Equipment, information or software shall not be taken off-site without prior authorization.
Questions:
1. Show us evidence that equipment, information or software is not be taken off-site without prior authorization.
Security shall be applied to off-site assets taking into account the different risks of working outside the organization
Questions:
1. Show us evidence that security is applied to off-site assets taking into account the different risks of working outsid
All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed soft
disposal or re-use.
Questions:
1. Show us evidence that all items of equipment containing storage media are verified to ensure that any sensitive d
overwritten prior to disposal or re-use.
Users shall ensure that unattended equipment has appropriate protection.

Questions:
1. Show us evidence that users ensure that unattended equipment has appropriate protection.
A clear desk policy for papers and removable storage media and a clear screen policy for information processing fac
Questions:
1. Show use your clear desk policy for papers and removable storage media and your clear screen policy for informa
2. Show use evidence that these policies are implemented.
Operating procedures shall be documented and made available to all users who need them.
Questions:
1. Show us your operating procedures and evidene they are made available to all users who need them.
Changes to the organization, business processes, information processing facilities and systems that affect informatio
Questions:
1. Show use evidence that Changes to the organization, business processes, information processing facilities and sys
The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the
Questions:
1. Show us evidence that the use of resources is monitored, tuned and projections made of future capacity requirem
Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access o
Questions:
1. Show us evidence that development, testing, and operational environments are separated to reduce the risks of u
environment.
Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appr
Questions:
1. Show us evidence that detection, prevention and recovery controls to protect against malware are implemented.
2. Show us evidence that users are made aware of these controls.
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an
Questions:
1. Show us approved backup policy.
2. Show us evidence that backup copies of information, software and system images are taken and tested regularly
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and r
Questions:
1. Show us evidence that event logs recording user activities, exceptions, faults and information security events are
Logging facilities and log information shall be protected against tampering and unauthorized access.
Questions:
1. Show us evidence that logging facilities and log information is protected against tampering and unauthorized acce
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
Questions:
1. Show us evidence that system administrator and system operator activities are logged and the logs protected and
The clocks of all relevant information processing systems within an organization or security domain shall be synchro
Questions:
1. Show us evidence that the clocks of all relevant information processing systems within an organization or security
source.
Procedures shall be implemented to control the installation of software on operational systems.
Questions:
1. Show us your procedures to control the installation of software on operational systems.
2. Show us evidence that these procedures are implemented.
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion,
evaluated and appropriate measures taken to address the associated risk.
Questions:
1. Show us evidence that information about technical vulnerabilities of information systems being used is obtained
vulnerabilities evaluated and appropriate measures taken to address the associated risk.
Rules governing the installation of software by users shall be established and implemented.
Questions:
1. Show us your rules governing the installation of software by users.
2. Show us evidence that these rules are implemented.
Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed
Questions:
1. Show us your audit requirements and evidence of activities involving verification of operational systems.
2. Show us evidence that these requirements are minimise disruptions to business processes.
Networks shall be managed and controlled to protect information in systems and applications.
Questions:
1. Show us evidence that networks are managed and controlled to protect information in systems and applications.
Security mechanisms, service levels and management requirements of all network services shall be identified and in
services are provided in-house or outsourced.
Questions:
1. Show us your security mechanisms, service levels and management requirements of all network services.
2. Show us evidence that these mechanisms and requirements are included in network services agreements, wheth
Groups of information services, users and information systems shall be segregated on networks.
Questions:
1. Show us evidence that groups of information services, users and information systems are segregated on network
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the
Questions:
1. Show us your formal transfer policies, procedures and controls to protect the transfer of information through the
2. Show evidence that these policies, procedures and controls are implemented.
Agreements shall address the secure transfer of business information between the organization and external partie
Questions:
1. Show us evidence that agreements address the secure transfer of business information between the organization
Information involved in electronic messaging shall be appropriately protected.

Questions:
1. Show us evidence that information involved in electronic messaging is appropriately protected.
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection
and documented.
Questions:
1. Show us your requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs f
2. Show us evidence that these requirements are regularly reviewed and documented.
The information security related requirements shall be included in the requirements for new information systems o
Questions:
1. Show us evidence that the information security related requirements are included in the requirements for new in
information systems.
Information involved in application services passing over public networks shall be protected from fraudulent activity
modification.
Questions:
1. Show us evidence that information involved in application services passing over public networks is protected from
disclosure and modification.
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-
disclosure, unauthorized message duplication or replay.
Questions:
1. Show use evidence that information involved in application service transactions is protected to prevent incomple
alteration, unauthorized disclosure, unauthorized message duplication or replay.
Rules for the development of software and systems shall be established and applied to developments within the org
Questions:
1. Show us your rules for the development of software and systems.
2. Show us evidence that these rules are applied to developments within the organization.
Changes to systems within the development lifecycle shall be controlled by the use of formal change control proced
Questions:
1. Show us evidence that changes to systems within the development lifecycle are controlled by the use of formal ch
When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there i
security.
Questions:
1. Show us evidence that when operating platforms are changed, business critical applications are reviewed and tes
operations or security.
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be stric
Questions:
1. Show us evidence that modifications to software packages are discouraged, limited to necessary changes and all c
Principles for engineering secure systems shall be established, documented, maintained and applied to any informa
Questions:
1. Show us your principles for engineering secure systems.
2. Show us evidence that these principles are maintained and applied to any information system implementation eff
Organizations shall establish and appropriately protect secure development environments for system development
development lifecycle.
Questions:
1. Show us evidence that your organization has established secure development environments for system developm
2. Show us evidence that you appropriately protect secure development environments for system development and
The organization shall supervise and monitor the activity of outsourced system development.
Questions:
1. Show use evidence that your organization supervises and monitors the activity of outsourced system developmen
Testing of security functionality shall be carried out during development.
Questions:
1. Show us evidence that testing of security functionality is carried out during development.
Acceptance testing programs and related criteria shall be established for new information systems, upgrades and ne
Questions:
1. Show us your acceptance testing programs and related criteria for new information systems, upgrades and new v
Test data shall be selected carefully, protected and controlled.
Questions:
1. Show us evidence that test data is selected carefully, protected and controlled.
Information security requirements for mitigating the risks associated with supplier’s access to the organization’s ass
Questions:
1. Show us your information security requirements for mitigating the risks associated with supplier’s access to the o
2. Show us evidence that these requirements are agreed with the supplier.
All relevant information security requirements shall be established and agreed with each supplier that may access, p
components for, the organization’s information.
Questions:
1. Show us evidence that all relevant information security requirements are established and agreed with each suppl
provide IT infrastructure components for, the organization’s information. Show us examples for multiple suppliers.
Agreements with suppliers shall include requirements to address the information security risks associated with info
product supply chain.
Questions:
1. Show us evidence that agreements with suppliers include requirements to address the information security risks
technology services and product supply chain. Show us samples for multiple suppliers.
Organizations shall regularly monitor, review and audit supplier service delivery.
Questions:
1. Show us evidence that your organization regularly monitors, reviews and audits supplier service delivery. Show u
Changes to the provision of services by suppliers, including maintaining and improving existing information security
taking account of the criticality of business information, systems and processes involved and re-assessment of risks.
Questions:
1. Show evidence that changes to the provision of services by suppliers, including maintaining and improving existin
are managed, taking account of the criticality of business information, systems and processes involved and re-assess
Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response
Questions:
1. Show us your management responsibilities and procedures for quick, effective and orderly responses to informati
Information security events shall be reported through appropriate management channels as quickly as possible.
Questions:
1. Show us evidence that information security events are reported through appropriate management channels as qu
Employees and contractors using the organization’s information systems and services shall be required to note and
weaknesses in systems or services.
Questions:
1. Show us evidence that employees and contractors using the organization’s information systems and services are
information security weaknesses in systems or services.
2. Show us samples of such notes and reports.
Information security events shall be assessed and it shall be decided if they are to be classified as information secur
Questions:
1. Show us evidence that information security events are assessed and the resulting determination regarding wheth
incidents.
Information security incidents shall be responded to in accordance with the documented procedures.
Questions:
1. Show use evidence that information security incidents are responded to in accordance with the documented proc
Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood
Questions:
1. Show us evidence that knowledge gained from analysing and resolving information security incidents is used to re
2. Show us any related corrective actions and relevant follow-up checks.
The organization shall define and apply procedures for the identification, collection, acquisition and preservation of
Questions:
1. Show us your procedures for the identification, collection, acquisition and preservation of information, which can
2. Show us evidence that these procedures are applied.
The organization shall determine its requirements for information security and the continuity of information securit
disaster.
Questions:
1. Show us your requirements for information security and the continuity of information security management in ad
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure t
during an adverse situation.
Questions:
1. Show us your processes, procedures and controls to ensure the required level of continuity for information secur
2. Show us evidence that these processes, procedures and controls are maintained/regularly reviewed and kept cur
The organization shall verify the established and implemented information security continuity controls at regular int
during adverse situations.
Questions:
1. Show us evidence that you verify your established and implemented information security continuity controls at re
effective during adverse situations.
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements
Questions:
1. Show us evidence that your information processing facilities are implemented with redundancy sufficient to meet
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet thes
and kept up to date for each information system and the organization.
Questions:
1. Show us evidence that all relevant legislative statutory, regulatory, contractual requirements and the organization
identified, documented and kept up to date for each information system and the organization.
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual req
of proprietary software products.
Questions:
1. Show us your procedures to ensure compliance with legislative, regulatory and contractual requirements related
software products.
2. Show us evidence that these procedures are implemented.
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in acc
business requirements.
Questions:
1. Show use evidence that records are protected from loss, destruction, falsification, unauthorized access and unaut
regulatory, contractual and business requirements.
Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and
Questions:
1. Show us evidence that privacy and protection of personally identifiable information is ensured as required in rele
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
Questions:
1. Show us evidence that cryptographic controls are used in compliance with all relevant agreements, legislation and
The organization’s approach to managing information security and its implementation (i.e. control objectives, contr
security) shall be reviewed independently at planned intervals or when significant changes occur.
Questions:
1. Show us evidence that your organization's approach to managing information security and its implementation is r
significant changes occur.
Managers shall regularly review the compliance of information processing and procedures within their area of respo
and any other security requirements.
Questions:
1. Show us evidence that managers regularly review the compliance of information processing and procedures with
policies, standards and any other security requirements.
Information systems shall be regularly reviewed for compliance with the organization’s information security policies
Questions:
1. Show us evidence that information systems are regularly reviewed for compliance with the organization’s inform
The organization shall establish information security objectives at relevant functions and levels.
The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and results from risk assessment and risk treatme
d) be communicated; and
e) be updated as appropriate.
The organization shall retain documented information on the information security objectives.
When planning how to achieve its information security objectives, the organization shall determine:
f) what will be done;
g) what resources will be required;
h) who will be responsible;
i) when it will be completed; and
j) how the results will be evaluated.
Questions:
1. Show us your organization's information security objectives. We will assess for the information listed above.
2. Show us the plan to achieve these information security objectives.
Auditors Notes pass fail
Evidence
Action No. [includes document review, system
content reviewed]
Priority
concern)
High 7.1 Resources
High 7.2 Competence
High 7.3 Awareness
High 7.4 Communication

7.5 Documented
High information
7.5.1 General
7.5.2 Creating and

High
updating
High 7.5.3 Control of

documented information
The organization shall determine and provide the resources needed for the establishment, implementation, mainte
security management system.
Questions:
1. Show us your planned resources for establishment, implementation, maintenance and continual improvement of
The organization shall:

a) determine the necessary competence of person(s) doing work under its control that affects its information securi
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the action
d) retain appropriate documented information as evidence of competence.
NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignme
competent persons.
Questions:
1. Show us info sec personnel competency requirements and assessments.
2. Show us corrective actions for competency issues.
Persons doing work under the organization’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of
c) the implications of not conforming with the information security management system requirements.
Questions:
1. Show us evidence that non-info sec personnel are made aware of the info sec policy, their part in implementing t
policy (e.g. training materials would be an example of evidence).
The organization shall determine the need for internal and external communications relevant to the information sec
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.
Questions:
1. Show us the info sec communications plan or equivalent and we will assess for the content listed above.
The organization’s information security management system shall include:
a) documented information required by this International Standard; and
b) documented information determined by the organization as being necessary for the effectiveness of the informati
NOTE The extent of documented information for an information security management system can differ from one o
1) the size of organization and its type of activities, processes, products and services;
2) the complexity of processes and their interactions; and
3) the competence of persons.
Questions:
1. Show us evidence that the info sec management system includes the documentation listed above.
When creating and updating documented information the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
c) review and approval for suitability and adequacy.
Questions:
1. Show us evidence that info sec documentation contains the information listed above.
Documented information required by the information security management system and by this International Standa
a) it is available and suitable for use, where and when it is needed; and
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable:
c) distribution, access, retrieval and use;
d) storage and preservation, including the preservation of legibility;
e) control of changes (e.g. version control); and
f) retention and disposition.
Documented information of external origin, determined by the organization to be necessary for the planning and op
shall be identified as appropriate, and controlled.
NOTE Access implies a decision regarding the permission to view the documented information only, or the permissi
information, etc.
Questions:
1. Show us evidence that info sec documentation and information is controlled.
2. Show us evidence that info sec documentation control includes the items listed above (c-f).
Evidence
content reviewed]
Priority
concern)
8.1 Operational planning

High and control
High 8.2 Information security

risk assessment
High 8.3 Information security

risk treatment
The organization shall plan, implement and control the processes needed to meet information security requirement
organization shall also implement plans to achieve information security objectives determined in 6.2.
The organization shall keep documented information to the extent necessary to have confidence that the processes
The organization shall control planned changes and review the consequences of unintended changes, taking action
The organization shall ensure that outsourced processes are determined and controlled.
Questions:
1. Show us evidence of implemention and control of the processes needed to meet your information security requir
2. Show us evidence of implementation of the actions to address relevant risks and opportunities (see the Planning
3. Show us your documented info sec documentation and we will assess to gain confidence that the processes have
4. Show us evidence that planned changes are controlled.
5. Show us evidence that the consequences of unintended changes are reviewed and action is taken to mitigate any
6. Show us evidence that outsourced processes are determined and controlled.
The organization shall perform information security risk assessments at planned intervals or when significant change
established in 6.1.2 a).
The organization shall retain documented information of the results of the information security risk assessments.
Questions:
1. Show us evidence that information security risk assessments are performed periodically / regularly or when trigge
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security risk treatment.
Questions:
1. Show us evidence that the information security risk treatment plan is implemented.
Evidence
content reviewed]
Priority
concern)
9.1 Monitoring,
High measurement, analysis
and evaluation
High 9.2 Internal audit

High 9.3 Management review
The organization shall evaluate the information security performance and the effectiveness of the information secur
The organization shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
NOTE The methods selected should produce comparable and reproducible results to be considered valid.
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated; and
f) who shall analyse and evaluate these results.
The organization shall retain appropriate documented information as evidence of the monitoring and measurement
Questions:
1. Show us evidence your organization evaluates the information security performance and the effectiveness of the
2. Show us evidence that the items listed above were assessed.
3. Show us the documented information as evidence of these monitoring and measurement results, if different from
The organization shall conduct internal audits at planned intervals to provide information on whether the informatio
a) conforms to
1) the organization’s own requirements for its information security management system; and
2) the requirements of this International Standard;
b) is effectively implemented and maintained.
The organization shall:

c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilitie
programme(s) shall take into consideration the importance of the processes concerned and the results of previous a
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit programme(s) and the audit results.
Questions:
1. Show us evidence of internal audits of the info sec system and we will assess for the information listed above.
2. Show us the audit plan and the planned schedule for these audits and we will assess for the content listed above.
Top management shall review the organization’s information security management system at planned intervals to e
effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results; and
4) fulfilment of information security objectives;
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f) opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement opportunities and
management system.
The organization shall retain documented information as evidence of the results of management reviews.
Questions:
1. Show us evidence of regular management review of the info sec management system.
2. Show us evidence that management reviews assess the items listed above.
3. Show us results of these management reviews and the decisions related to continual improvement opportunities
management system.
Evidence
content reviewed]
Priority
concern)
10.1 Nonconformity and

High
corrective action
10.2 Continual
High improvement
When a nonconformity occurs, the organization shall:

a) react to the nonconformity, and as applicable:
1) take action to control and correct it; and
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur els
1) reviewing the nonconformity;
2) determining the causes of the nonconformity; and
3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of:

f) the nature of the nonconformities and any subsequent actions taken, and
g) the results of any corrective action.
Questions:
1. Show us evidence of your non-conformity management, including reaction, evaluation, response, follow-up revie
2. Show us evidence that the corrective actions are appropriate to the effects of the nonconformities encountered.
3. Show us your records of the nature of non-conformities, any subsequent actions taken, and the results of any co
1 and 2 above.
The organization shall continually improve the suitability, adequacy and effectiveness of the information security ma
Questions:
1. Show us evidence of continual improvements in the suitability, adequacy and effectiveness of the information sec
Evidence
content reviewed]

SSO - ISO 27001 Audit Checklist

Uploaded by

Copyright:

Available Formats

SSO - ISO 27001 Audit Checklist

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSO - ISO 27001 Audit Checklist

Uploaded by

Copyright:

Available Formats

What are the main topics covered in the document?

What are the main topics covered in the document?

What requirements are organizations expected to meet according to the document?

What requirements are organizations expected to meet according to the document?

Priority

(based on ISO 27001-2013

4.1 Understanding the

4.2 Understanding the

4.3 Determining the

4.4 Information security

High 5.2 Policy

The organization shall determine:

When determining this scope, the organization shall consider:

The scope shall be available as documented information.

Top management shall establish an information security policy that:

6.1 Actions to address risks

High Table A.1, Control A.5.1.1

High Table A.1, Control A.5.1.2

High Table A.1, Control A.6.1.1

High Table A.1, Control A.6.1.3

High Table A.1, Control A.6.1.4

High Table A.1, Control A.6.1.5

High Table A.1, Control A.7.1.1

High Table A.1, Control A.7.1.2

High Table A.1, Control A.7.2.1

High Table A.1, Control A.7.2.3

High Table A.1, Control A.7.3.1

High Table A.1, Control A.8.1.1

High Table A.1, Control A.8.1.2

High Table A.1, Control A.8.1.3

High Table A.1, Control A.8.1.4

High Table A.1, Control A.8.2.1

High Table A.1, Control A.8.2.3

High Table A.1, Control A.8.3.1

High Table A.1, Control A.8.3.2

High Table A.1, Control A.8.3.3

High Table A.1, Control A.9.1.1

High Table A.1, Control A.9.1.2

High Table A.1, Control A.9.2.1

High Table A.1, Control A.9.2.2

High Table A.1, Control A.9.2.4

High Table A.1, Control A.9.2.5

High Table A.1, Control A.9.2.6

High Table A.1, Control A.9.3.1

High Table A.1, Control A.9.4.1

High Table A.1, Control A.9.4.2

High Table A.1, Control A.9.4.3

High Table A.1, Control A.9.4.4

High Table A.1, Control A.9.4.5

High Table A.1, Control A.10.1.2

High Table A.1, Control A.11.1.1

High Table A.1, Control A.11.1.2

High Table A.1, Control A.11.1.3

High Table A.1, Control A.11.1.4

High Table A.1, Control A.11.1.5

High Table A.1, Control A.11.1.6

High Table A.1, Control A.11.2.1

High Table A.1, Control A.11.2.3

High Table A.1, Control A.11.2.4