[organization name] [confidentiality level]

Appendix 3 – Internal Audit Checklist for ISO 27001 and ISO 22301

1. Internal audit checklist for ISO 27001

Clause Requirement of the standard Compliant Evidence
Yes/No
4.2 Did the organization determine interested
parties?
4.2 Does the list of all of interested parties’
requirements exist?
4.3 Is the scope documented with clearly
defined boundaries and interfaces?
5.1 Are the general ISMS objectives
compatible with the strategic direction?
5.1 Does management ensure that ISMS
achieves its objectives?
5.2 Does Information Security Policy exist with
objectives or framework for setting
objectives?
5.2 Is Information Security Policy No
communicated within the company?
5.3 Are roles and responsibilities for
information security assigned and
communicated?
6.1.2 Is the risk assessment process
documented, including the risk acceptance
criteria and criteria for risk assessment?
6.1.2, 8.2 Are the risks identified, their owners,
likelihood, consequences, and the level of
risk; are these results documented?
6.1.3 Is the risk treatment process documented,
including the risk treatment options?
6.1.3, 8.3 Are all the unacceptable risks treated
using the options and controls from Annex
A; are these results documented?
6.1.3 Is Statement of Applicability produced
with justifications and status for each
control?
6.1.3, 8.3 Does Risk treatment plan exist, approved
by risk owners?
6.2 Does Risk treatment plan define who is
responsible for implementation of which
control, with which resources, what are
the deadlines, and what is the evaluation
method?
Internal Audit ver [version] from [date] Page 1 of 6
[organization name] [confidentiality level]

7.1 Are adequate resources provided for all

the elements of ISMS?
7.2 Are required competences defined,
trainings performed, and records of
competences maintained?
7.3 Is the personnel aware of Information
security policy, of their role, and
consequences of not complying with the
rules?
7.4 Does the process for communication
related to information security exist,
including the responsibilities and what to
communicate?
7.5 Does the process for managing documents
and records exist, including who reviews
and approves documents, where and how
they are published, stored and protected?
7.5 Are documents of external origin
controlled?
8.1 Are outsourced processes identified and
controlled?
9.1 Is it defined what needs to be measured,
by which method, who is responsible, who
will analyze and evaluate the results?
9.1 Are the results of measurement
documented and reported to responsible
persons?
9.2 Does an audit program exist that defines
the timing, responsibilities, reporting,
audit criteria and scope?
9.2 Are internal audits performed according to
audit program, results reported through
the Internal audit report and relevant
corrective actions raised?
9.3 Is management review regularly
performed, and are the results
documented in minutes of the meeting?
9.3 Did management decide on all the crucial
issues important for the success of the
ISMS?
10.1 Does the organization react to every
nonconformity?
10.1 Does the organization consider eliminating
the cause of nonconformity and, where

Internal Audit ver [version] from [date] Page 2 of 6

[organization name] [confidentiality level]

appropriate, take corrective action?

10.1 Are all nonconformities recorded,
together with corrective actions?
Are all necessary information security
policies approved by management and
A.5.1 published?
Are all information security policies
A.5.1 reviewed and updated?
Are all information security responsibilities
clearly defined through one or several
A.5.2 documents?
Are duties and responsibilities defined in
such a way to avoid conflict of interest,
particularly with the information and
A.5.3 systems where high risks are involved?
Is management actively requiring all
employees and contractors to comply with
A.5.4 information security rules?
Is it clearly defined who should be in
A.5.5 contact with which authorities?
Is it clearly defined who should be in
contact with special interest groups or
A.5.6 professional associations?
Are information security threats collected
and analyzed in order to produce threat
A.5.7 intelligence?
Are information security rules included in
A.5.8 every project?
Are security requirements defined for new
information systems, or for any changes to
A.5.8 them?

A.5.9 Is an Inventory of assets drawn up?

Does every asset in the Inventory of assets
A.5.9 have a designated owner?
Are the rules for appropriate handling of
A.5.10 information and assets documented?
Are there procedures that define how to
A.5.10 handle classified information?
Did all the employees and contractors
return all the company assets when their
A.5.11 employment was terminated?
Is the information classified according to
A.5.12 specified criteria?

Internal Audit ver [version] from [date] Page 3 of 6

[organization name] [confidentiality level]

Is the classified information labeled

A.5.13 according to the defined procedures?
Is the protection of information transfer
regulated in formal policies and
A.5.14 procedures?
Do agreements with third parties exist
that regulate the security of information
A.5.14 transfer?
Are the messages that are exchanged over
A.5.14 the networks properly protected?
Is there an Access Control Policy that
defines business and security
A.5.15 requirements for access control?
Do the users have access only to those
networks and services they are specifically
A.5.15 authorized for?
Are access rights provided via a formal
A.5.16 registration process?
Are initial passwords and other secret
authentication information provided in a
A.5.17 secure way?
Are there clear rules for users on how to
protect passwords and other
A.5.17 authentication information?
Are the systems that manage passwords
interactive, and enable the creation of
A.5.17 secure passwords?
Is there a formal access control system
A.5.18 when logging into information systems?
Do asset owners periodically check all the
A.5.18 privileged access rights?
Have the access rights of all employees
and contractors been removed upon the
A.5.18 termination of their contracts?
Is the policy on how to treat the risks
related to suppliers and partners
A.5.19 documented?
Are all the relevant security requirements
included in the agreements with the
A.5.20 suppliers and partners?
Do the agreements with cloud providers
and other suppliers include security
requirements for ensuring the reliable
A.5.21 delivery of services?

Internal Audit ver [version] from [date] Page 4 of 6

[organization name] [confidentiality level]

Are suppliers regularly monitored for

compliance with the security
A.5.22 requirements, and audited if appropriate?
When making changes to arrangements
and contracts with suppliers and partners,
are risks and existing processes taken into
A.5.22 account?
Are processes for acquisition, use,
management, and exit from cloud services
compliant with identified security
A.5.23 requirements?
Are procedures and responsibilities for
A.5.24 managing incidents clearly defined?
Are all security events assessed and
A.5.25 classified?
Are procedures on how to respond to
A.5.26 incidents documented?
Are security incidents analyzed in order to
A.5.27 gain knowledge on how to prevent them?
Do procedures exist that define how to
collect incident evidence that will be
A.5.28 acceptable during the legal process?
Are requirements for continuity of
A.5.29 information security defined?
Do procedures exist that ensure the
continuity of information security during a
A.5.29 crisis or a disaster?
Is exercising and testing performed in
A.5.29 order to ensure effective response?
Is ICT readiness planned, implemented,
maintained, and tested based on business
A.5.30 and ICT continuity requirements?
Are all legislative, regulatory, contractual,
and other security requirements listed and
A.5.31 documented?
Do procedures exist that ensure the
enforcement of intellectual property
rights, including the use of licensed
A.5.32 software?
Are all the records protected according to
identified regulatory, contractual, and
A.5.33 other requirements?
A.5.34 Is personally identifiable information
protected as required in laws and

Internal Audit ver [version] from [date] Page 5 of 6

[organization name] [confidentiality level]

regulations?

Internal Audit ver [version] from [date] Page 6 of 6