ISO 27001:2022 ISMS Internal Audit Checklist

The following checklist can be used for both internal audits as well as Gap Analysis tools.

ISO 27001:2022 Checklist
Clause 4: Context of the organization
4.1 Understanding the organization and its context
Has the organization determined external and internal issues that are relevant to your purpose and that affected its ability to achieve the intended outcomes of your information security management system?
4.2 Understanding the needs and expectations of interested parties
Has the organization determined the interested parties that are relevant to the information security Management System?
Has the organization determined the relevant requirements of these interested parties?
Has the organization determined which of these requirements will be addressed through the information security management
system?
4.3 Determining the scope of the Information Security management system
Has the organization established the boundaries and applicability of the information security management system to establish its scope?
When determining the scope of the information security management system has the organization considered the external and internal issues referred to clause 4.1 and also considered the relevant ISMS requirements of interested parties as referred in clause 4.2?
While determining the scope, has the organization determined the interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.?
Is the organization’s scope made available as a Documented Information?
4.4 Information Security management system 
Have the organization establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of ISO 27001:2022?
Clause 5 Leadership
5.1 Leadership and commitment
Does the top management demonstrate leadership and commitment by taking accountability for the effectiveness of its ISMS?
Has the top management ensured that the information security policy and information objective are established?
Are the information security policy and information security objective compatible with the strategic direction of the organization?
Has the organization integrated the requirements of ISMS into the organization processes?
Is the top management ensuring that the resources needed for the Information security management system are available?
Is the importance of the effectiveness of ISMS and conformance of ISMS requirements communicated?
Does the top management ensure that the ISMS is achieving its intended results?
Does the Top Management direct and supports the persons to contribute to the effectiveness of the ISMS?
Is Top Management promoting continual improvements?
Is Top Management supporting other relevant management roles to demonstrate their leadership as it applies to their area of responsibilities?
5.2 Policy
Has top Management established an information security Policy that is appropriate to the purpose to the purpose of the organization?
Does the information security policy includes information security or provide the framework for setting information objective?
Does the information policy include a commitment to satisfy applicable requirements related to information security?
Does the information policy include a commitment to continual improvement of the information security management system?
Is the information policy available as documented information, communicated within the organisation and available to interested parties?
5.3 Organizational roles, responsibilities and authorities
Has the Top management ensured that the responsibilities and authorities for relevant roles of Information security are assigned and communicated within the organization?
Has top management assigned the responsibility and authority for ensuring that the information security management system conforms to the requirements of ISO 27001:2022?
Has top management assigned the responsibility and authority for reporting on the performance of the information security management system to top management?
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the information security management system, have the organization considered the issues referred to in 4.1, the requirements referred to in 4.2, and determined the risks and opportunities that needs to be addressed to ensure the information security management system can achieve its intended outcomes?
When planning for the information security management system, have the organization considered to prevent or reduce undesired effects, and achieve continual improvement?
Has the organisation planned action to address these risks and opportunities and evolved a mechanism to integrate and implement the actions into its information security management system processes and evaluate the effectiveness of these actions ?
6.1.2 Information security risk assessment
Has the organisation defined and applied an information security risk assessment process that establishes and maintains information security risk criteria that includes the risk acceptance criteria and the criteria for performing information security risk assessments?
Has the organisation defined and applied an information security risk assessment process that ensures that repeated information security risk assessments produce consistent, valid and comparable results?
Does the organization identifies the information security risks to apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system and identify the risk owners;?
Does the organizations analyses the information security risks to assess the potential consequences that would result if the risks identified were to materialize, assess the realistic likelihood of the occurrence of the risks identified and determine the levels of risk?
Does the organization evaluates the information security risks to compare the results of risk analysis with the risk criteria established and prioritize the analysed risks for risk treatment?
Does the organization retain documented information about the information security risk assessment process?
6.1.3 Information security risk treatment
Has the organization defined and applied an information security risk treatment process to select appropriate information security risk treatment Options, taking account of the risk assessment results?
Has the organization determined all controls that are necessary to implement the information security risk treatment option chosen ? Has the organization taken into account the controls given in Annex 1 of ISO 27001:2022 so that no necessary controls have been omitted?
Has the organization produced a Statement of Applicability that contains the necessary controls , justification for their inclusion, whether the necessary controls are implemented or not and the justification for excluding any of the ISO 27001:2022 Annex A controls?
Has the organization formulated an information security risk treatment plan and obtained risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks?
Are information security risk treatment process retained as documented information?
6.2 Information security objectives and planning to achieve them
Has the organization established information security objectives at relevant functions and levels?
Are the information security objectives consistent with the Information security policy?
Are information security objective measurable ( if applicable) and Monitored?
While establishing Information security objective does the organization take into account applicable information security requirements, and results from risk assessment and risk treatment?
Are environment objectives communicated and updated as required?
Does the organization retains and make available documented information on the information security objectives?
For achieving information security objectives does the organization determines what will be done, what resources are required, who will be responsible, when will it be completed and how are the result to be evaluated?
6.3 Planning of change
Have the organization considered how actions to achieve your environmental objectives can be integrated into your business processes?
7 Support
7.1 Resources
Has the organization determined and provided the resources needed for the establishment, implementing, maintaining and continual improvement of the Information Security Management System?
7.2 Competence
Does the organization determine the necessary competence of persons doing work under its control that affects its information security performance;?
Does the organization ensure that these persons are competent on basis of appropriate education, training or experience?
Does the organization take applicable actions to acquire the necessary competence and evaluate the effectiveness of action taken?
Does the organization retain the appropriate documented information as evidence of competence?
7.3 Awareness
How does the organization ensure that persons doing work under their control are aware of the the information security policy?
How does the organization ensure that persons doing work under their control are aware of the their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance?
How does the organization ensure that persons doing work under their control are aware of the implications of not conforming with the information security management system requirements.?
7.4 Communication
How does the organization determine the internal and external communications relevant to the information security management system, including on what to communicate, when to communicate, with whom to communicate and how to communicate?
7.5 Documented Information
7.5.1 General
Does the organization’s ISMS include documents required by ISO 27001:2022 and documents determined by the organization necessary for the effectiveness of theISMS?
7.5.2 Creating and updating
While creating and updating documented information, does the organization ensure it is appropriate in terms of identification and descriptions(e.g. a title, date, author, or reference number)?
While creating and updating documented information does the organization ensure that it is in proper format (e.g. language, software version, graphics) and in the correct media(e.g. paper, electronic)?
While creating and updating documented information, does the organization ensure that there is appropriate review and approval for suitability and adequacy?
7.5.3 Control of documented information
How does the organization control its documented information to ensure that it is available and suitable for use, when and where it is needed?
How is the documented information adequately protected(e.g. from loss of confidentiality, improper use, or loss of integrity)?
How is the distribution, access, retrieval and use of documented information adequately controlled?
How is the documented properly stored and adequately preserved and it is legible?
How is there control of changes (e.g. version control)?
Are adequate control in place for retention and disposition?
How are external origin documented information necessary for planning and operation of ISMS appropriately identified and controlled?
8 Operations
8.1 Operation planning and control
Does the organization plan, implement and control the processes needed to meet the requirements of the information management system and to implement the actions determined in Clause 6, by establishing criteria for the processes?
Has the organization implemented control of the processes in accordance with the criteria?
How does the organization control planned changes and review the consequences of unintended changes, including taking action to mitigate any adverse effects, as necessary?
How does your organization ensure that externally processes products or services that are relevant to the information security management system are controlled?
How does the organization make available  documented information to the extent necessary to have the confidence  that processes have been carried out as planned?
8.2 Information security risk assessment
How is the organization performing information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established?
How does the organization retain  documented information of the results of the information security risk assessments?
8.3 Information security risk treatment
How does the organization implement the information security risk treatment plan?
How does the organization retain  documented information of the results of the information security risk treatment?
9. Performance evaluation
9.1 Monitoring, measurement, analysis, and evaluation
9.1.1 General
How does the organization determines what needs to be monitored and measured, including information security processes and controls?
How does the organization determine the methods for monitoring, measurement, analysis and evaluation  as needed to ensure valid results?
Does the methods selected produce comparable and reproducible results to be considered valid?
How does your organization determine when the monitoring and measurement shall be performed and who shall be monitor and measure ?
How does your organization determine when the results from monitoring and measurement shall be analysed and evaluated and who shall analyse and evaluate?
How does the organization evaluates the information security performance and the effectiveness of the information management system?
How does the organization make available the appropriate documented information as evidence of  monitoring, measurement, analysis and evaluation results?
9.2 Internal Audit
9.2.1 General
Does the organization conduct internal audits at planned intervals to provide information  on whether the ISMS conforms to its own requirement for ISMS, ISO 27001:2022 requirements and ISMS is effectively implemented and maintained  ?
9.2.2 Internal audit program
Did the organization plan, establish, implement, and maintain an audit program?
Did the audit program include the frequency, methods, responsibilities, planning requirements, and reporting of its internal audit?
Does the audit program take into consideration the importance of the process concerned, and the results of previous audits?
Did the organization define the audit criteria and scope of each audit?
Does the organization ensure that the audit is conducted by the auditors to ensure objectivity and impartiality of the audit process?
Does the organization ensure that the results of the audits are reported to relevant management?
Does documented information made available as evidence of the implementation of the audit program and the audit results ?
9.3 Management review
9.3.1 General
Does the Top Management review the organization ISMS at planned intervals  to  ensure its continuing suitability, adequacy and effectiveness?
9.3.2 Management review inputs
Does the review take into consideration the status of actions from previous management reviews?
Are the changes in external and internal issues relevant to ISMS considered?
Are the changes in the needs and expectations of interested parties relevant to ISMS considered?
Does the review take into consideration Feedback for information security performance including the trends in nonconformity and corrective actions, monitoring and measurement results, the audit results and fulfillment of information security objectives?
Does the review take into consideration feedback from interested parties?
Does the review take into consideration results of risk assessment and status of risk treatment plan?
Does the review take into consideration the opportunities for continual improvement?
9.3.3 Management review results
Do the outputs of the management review include decisions related to continual improvement opportunities and any needs for changes to the information security management system?
Does the organization make available documented information as evidence of the result of the management review?
10 Improvement
10.1 Continual improvement
Does the organization continually improve the suitability, adequacy, and effectiveness of the ISMS ?
10.2 Nonconformity and corrective action
When any nonconformity occurs, how does the organization reacts to it by taking action to control and correct it and deal with the consequences ?
When any nonconformity occurs, does the organization evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere?
How does the organization reviews  the nonconformity?
How does the organization determine the causes of the nonconformity?
How does the organization determine similar nonconformity exist or could potentially exist?
How does the organization implemented any action needed?
How does the organization reviewed the effectiveness of the corrective action taken?
Has the organization made changes to the ISMS if necessary?
Are the corrective actions appropriate to the significance of the effects of the nonconformities encountered ?
Does the organization retain documented information on the nature of the nonconformities, any subsequent actions taken and the result of any corrective action?

Annex A Information security controls

A 5 Organizational controls

ClauseControlIs the control applicable ? If yes how it it applied and is it effective
5.1 Policies for information securityInformation security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
5.2 Information security roles and responsibilitiesInformation security roles and responsibilities shall be defined and allocated according to the organization needs.
5.3 Segregation of dutiesConflicting duties and conflicting areas of responsibility shall be segregated.
5.4 Management responsibilitiesManagement shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
5.5 Contact with authoritiesThe organization shall establish and maintain contact with relevant authorities.
5.6 Contact with special interest groupsThe organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.
5.7 Threat intelligenceInformation relating to information security threats shall be collected and analysed to produce threat intelligence.
5.8 Information security in project managementInformation security shall be integrated into project management.
5.9 Inventory of information and
other associated assets
An inventory of information and other associated assets, including owners, shall be developed and maintained.
5.10 Acceptable use of information and other associated assetsRules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
5.11 Return of assetsPersonnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
5.12 Classification of informationInformation shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
5.13 Labeling of informationAn appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
5.14 Information transferInformation transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.
5.15 Access controlRules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
5.16 Identity managementThe full life cycle of identities shall be managed.
5.17 Authentication informationAllocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.
5.18 Access rightsAccess rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
5.19 Information security in supplier relationshipsProcesses and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
5.20 Addressing information security within supplier agreementsRelevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
5.21 Managing information security in the information and communication technology (ICT) supply chainProcesses and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
5.22 Monitoring, review and change management of supplier servicesThe organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
5.23 Information security for use of cloud servicesProcesses for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.
5.24 Information security incident management planning and preparationThe organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
5.25 Assessment and decision on information security eventsThe organization shall assess information security events and decide if they are to be categorized as information security incidents.
5.26 Response to information security incidentsInformation security incidents shall be responded to in accordance with the documented procedures.
5.27 Learning from information security incidentsKnowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
5.28 Collection of evidenceThe organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
5.29 Information security during
disruption
The organization shall plan how to maintain information security at an appropriate level during disruption.
5.30 ICT readiness for business continuityICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
5.31 Legal, statutory, regulatory and contractual requirementsLegal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.
5.32 Intellectual property rightsThe organization shall implement appropriate procedures to protect intellectual property rights.
5.33 Protection of recordsRecords shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
5.34 Privacy and protection of personal identifiable information (PII)The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
5.35 Independent review of information securityThe organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
5.36 Compliance with policies, rules and standards for information securityCompliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
5.37 Documented operating proceduresOperating procedures for information processing facilities shall be
documented and made available to personnel who need them.

A 6 People controls

ClauseControlIs the control applicable ? If yes how it it applied and is it effective
6.1 ScreeningBackground verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
6.2 Terms and conditions of employmentThe employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.
6.3 Information security awareness,
education and training
Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
6.4 Disciplinary processA disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
6.5 Responsibilities after termination
or change of employment
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
6.6 Confidentiality or non-disclosure agreementsConfidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
6.7 Remote workingSecurity measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
6.8 Information security event reportingThe organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

A 7 Physical controls

ClauseControlIs the control applicable ? If yes how it it applied and is it effective
7.1 Physical security perimetersSecurity perimeters shall be defined and used to protect areas that contain information and other associated assets.
7.2 Physical entrySecure areas shall be protected by appropriate entry controls and access points.
7.3 Securing offices, rooms and facilitiesPhysical security for offices, rooms and facilities shall be designed and implemented.
7.4 Physical security monitoringPremises shall be continuously monitored for unauthorized physical access.
7.5 Protecting against physical and environmental threatsProtection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.
7.6 Working in secure areasSecurity measures for working in secure areas shall be designed and implemented.
7.7 Clear desk and clear screenClear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
7.8 Equipment siting and protectionEquipment shall be sited securely and protected.
7.9 Security of assets off-premisesOff-site assets shall be protected.
7.10 Storage mediaStorage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.
7.11 Supporting utilitiesInformation processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.
7.12 Cabling securityCables carrying power, data or supporting information services shall be protected from interception, interference or damage.
7.13 Equipment maintenanceEquipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
7.14 Secure disposal or re-use of equipmentItems of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

A 8 Technological controls

ClauseControlIs the control applicable ? If yes how it it applied and is it effective
8.1 User end point devicesInformation stored on, processed by or accessible via user end point devices shall be protected.
8.2 Privileged access rightsThe allocation and use of privileged access rights shall be restricted and managed.
8.3 Information access restrictionAccess to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
8.4 Access to source codeRead and write access to source code, development tools and software libraries shall be appropriately managed.
8.5 Secure authenticationSecure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
8.6 Capacity managementThe use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
8.7 Protection against malwareProtection against malware shall be implemented and supported by appropriate user awareness.
8.8 Management of technical vulnerabilitiesInformation about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
8.9 Configuration managementConfigurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
8.10 Information deletionInformation stored in information systems, devices or in any other
storage media shall be deleted when no longer required.
8.11 Data maskingData masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
8.12 Data leakage preventionData leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
8.13 Information backupBackup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
8.14 Redundancy of information processing facilitiesInformation processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
8.15 LoggingLogs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
8.16 Monitoring activities Networks, systems and applications shall be monitored for anomalous
behaviour and appropriate actions taken to evaluate potential infor-
mation security incidents.
8.17 Clock synchronization The clocks of information processing systems used by the organization
shall be synchronized to approved time sources.
8.18 Use of privileged utility programs The use of utility programs that can be capable of overriding system
and application controls shall be restricted and tightly controlled.
8.19 Installation of software on operational systems
Procedures and measures shall be implemented to securely manage
software installation on operational systems.
8.20 Networks security Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
8.21 Security of network services Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
8.22 Segregation of networks Groups of information services, users and information systems shall
be segregated in the organization’s networks.
8.23 Web filteringAccess to external websites shall be managed to reduce exposure to malicious content.
8.24 Use of cryptography Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
8.25 Secure development life cycle Rules for the secure development of software and systems shall be established and applied.
8.26 Application security requirements
Information security requirements shall be identified, specified and
approved when developing or acquiring applications.
8.27 Secure system architecture and engineering principles
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.
8.28 Secure coding Secure coding principles shall be applied to software development.
8.29 Security testing in development and acceptance
.
Security testing processes shall be defined and implemented in the development life cycle
8.30 Outsourced development The organization shall direct, monitor and review the activities related to outsourced system development.
8.31 Separation of development, test and production environmentsDevelopment, testing and production environments shall be separated and secured.
8.32 Change management Changes to information processing facilities and information systems shall be subject to change management procedures.
8.33 Test informationTest information shall be appropriately selected, protected and managed.
8.34 Protection of information systems during audit testing
Audit tests and other assurance activities involving assessment of op-
erational systems shall be planned and agreed between the tester and
appropriate management.

4 thoughts on “ISO 27001:2022 ISMS Internal Audit Checklist

Leave a Reply