ISO 27001 Information Security Management System (ISO27K ISMS) Audit Checklist

One of the core functions of an information security management system (ISMS) is an internal audit of the ISMS against the requirements of the ISO/IEC 27001:2013 standard.

Especially for smaller organizations, this can also be one of the hardest functions to successfully implement in a way that meets the requirements of the standard.

This checklist is designed to streamline the ISO 27001 audit process, so you can perform first and second-party audits, whether for an ISMS implementation or for contractual or regulatory reasons.

The checklist is intended as a generic guidance; it is not a replacement for ISO 27001.

For best results, users are encouraged to edit the checklist and modify the contents to best suit their use cases, as it cannot provide specific guidance on the particular risks and controls applicable to every situation.

Typically, management system auditors will prepare custom checklists that reflect the specific scope, scale, and objectives of the ISMS being audited.

Audit documentation should include the details of the auditor, as well as the start date, and basic information about the nature of the audit. 

More detailed information will be gathered later in the checklist.

Before beginning preparations for the audit, enter some basic details about the information security management system (ISMS) audit using the form fields below.

Audit programme manager information

Auditee information

If this process involves multiple people, you can use the members form field to allow the person running this checklist to select and assign additional individuals.

For example, if management is running this checklist, they may wish to assign the lead internal auditor after completing the ISMS audit details.

In order to understand the context of the audit, the audit programme manager should take into account the auditee’s:

Record the context of the audit in the form field below.

The audit programme manager needs to establish objectives of the QMS audit.

Individual audit objectives need to be consistent with the context of the auditee, including the following factors:

Audit scope should be consistent with the context of the auditee.

Consider the following factors, and define the audit scope in the form field below:

For individual audits, criteria should be defined to be used as a reference against which conformity will be determined.

Individual audit criteria might include:

Audit programme managers should also make sure that tools and systems are in place to ensure adequate monitoring of the audit and all relevant activities.

Relevant activities to be monitored might include any of the following:

Request all existing relevant ISMS documentation from the auditee. You can use the form field below to quickly and easily request this information

Audit programme managers should assign audit team members.

When deciding on your audit team, consider the following:

Use the various fields below to assign audit team members.

Should you require fewer or more audit team members, edit this template to your requirements.

Audit programme managers should be responsible for assigning the audit team leader.

This should be done well ahead of the scheduled date of the audit, to be sure that planning can take place in a timely manner.

A dynamic due date has been set for this task, for one month before the scheduled start date of the audit.

Use the form fields below to record the details of the lead auditor.

The lead auditor should obtain and review all documentation of the auditee’s management system. They audit leader can then approve, reject or reject with comments the documentation. Continuation of this checklist is not possible until all documentation has been reviewed by the lead auditor.

This will help to prepare for individual audit activities, and will serve as a high-level overview from which the lead auditor will be able to better identify and understand areas of concern or nonconformity.

Documented information is an umbrella term that could refer to:

• Processes (either recorded on paper or with software)
• Management system documents and records
• Previous audit reports

The above list is by no means exhaustive. The lead auditor should also take into account individual audit scope, objectives, and criteria.

Reference material, such as individual ISO standards, will be useful at this point.

Using the form fields below, record any issues of nonconformities observed.

Using the form field below, describe the issue(s) with documented information so far, and the steps taken to resolve the issue(s). 

The lead auditor should prepare an audit plan for the individual audit.

This plan should involve the following components and considerations:

The lead auditor should assign work to the audit team.

Work to be assigned should be outlined in the audit plan.

You can use Process Street’s task assignment feature to assign specific tasks in this checklist to individual members of your audit team.

The lead auditor should make contact with the auditee and ensure the following:

Any scheduling of audit activities should be made well in advance.

For example, the dates of the opening and closing meetings should be provisionally declared for planning purposes.

An opening meeting between the auditee and all relevant parties should be held.

It’s advised that the opening meeting should be led by the lead auditor.

The scheduling for this meeting should have already been determined earlier in the checklist.

During the opening meeting, confirm the following with all relevant parties:

Typically, such an opening meeting will involve the auditee’s management, as well as crucial actors or specialists in relation to processes and procedures to be audited.

This meeting is a great opportunity to ask any questions about the audit process and generally clear the air of uncertainties or reservations.

Depending on the size and scope of the audit (and as such the organization being audited) the opening meeting might be as simple as announcing that the audit is starting, with a simple explanation of the nature of the audit.

Familiarity of the auditee with the audit process is also an important factor in determining how extensive the opening meeting should be.

During the opening meeting, the following items should be clearly communicated:

Where, when, and how information is accessible is a crucial factor during the audit.

It’s important to make clear where all relevant interested parties can find important audit information.

Make sure important information is readily accessible by recording the location in the form fields of this task.

You may want to consider uploading important information to a secure central repository (URL) that can be easily shared to relevant interested parties.

Audits can store important information both physically and/or virtually.

Understanding the context of the organization is necessary when developing an information security management system in order to identify, analyze, and understand the business environment in which the organization conducts its business and realizes its product.

Record information pertaining to the organization and its context in the form fields below.

Provide a record of evidence gathered relating to the needs and expectations of interested parties in the form fields below.

The scope of the ISMS is basically a description of the processes, procedures, services, and products that the ISMS applies to.

Provide a record of evidence gathered relating to the ISMS scope in the form fields below.

Provide a record of evidence gathered relating to the ISMS leadership in the form fields below.

Provide a record of evidence gathered relating to the ISMS quality policy in the form fields below.

Provide a record of evidence gathered relating to the organizational roles, responsibilities, and authorities of the ISMS in the form fields below.

Provide a record of evidence gathered relating to the consultation and participation of the workers of the ISMS using the form fields below.

Provide a record of evidence gathered relating to the documentation of risks and opportunities in the ISMS using the form fields below.

Provide a record of evidence gathered relating to the ISMS objectives and plans to achieve them in the form fields below.

Provide a record of evidence gathered relating to the documentation and implementation of ISMS resources using the form fields below.

Provide a record of evidence gathered relating to the documentation and implementation of ISMS competence using the form fields below.

Provide a record of evidence gathered relating to the documentation and implementation of ISMS awareness using the form fields below.

Provide a record of evidence gathered relating to the documentation and implementation of ISMS communication using the form fields below.

Provide a record of evidence gathered relating to the documentation information of the ISMS using the form fields below.

Provide a record of evidence gathered relating to the operational planning and control of the ISMS using the form fields below.

Provide a record of evidence gathered relating to the information security risk assessment procedures of the ISMS using the form fields below.

Provide a record of evidence gathered relating to the information security risk treatment procedures of the ISMS using the form fields below.

Provide a record of evidence gathered relating to the systems for monitoring and measuring performance of the ISMS using the form fields below.

Provide a record of evidence gathered relating to the internal audit procedures of the ISMS using the form fields below.

Provide a record of evidence gathered relating to the management review procedures of the ISMS using the form fields below.

Provide a record of evidence gathered relating to nonconformity and corrective action in the ISMS using the form fields below.

Provide a record of evidence gathered relating to continuous improvement procedures of the ISMS using the form fields below.

The audit leader can review and approve, reject or reject with comments, the below audit evidence, and findings. It is not possible to continue in this checklist until the below has been reviewed.

Context of the organization

Understanding the organization and its context

Internal issues: {{form.Internal_issues_information}}

External issues: {{form.External_issues_information}}

Relevant interested parties: {{form.Relevant_interested_parties_information}}

Any nonconformities?: {{form.Nonconformity_with_organization_and_its_context?}}

Conformities: {{form.Record_conformities_for_organization_and_its_context}}

Nonconformities: {{form.Record_nonconformities_for_organization_and_its_context}}

Suggestions: {{form.Suggestions_for_organization_and_its_context}}

Needs and expectations of relevant interested parties

Information: {{form.Needs_and_expectations_of_interested_parties_information}}

Any nonconformities?: {{form.Nonconformity_with_needs_and_expectations_of_interested_parties?}}

Conformities: {{form.Record_conformities_for_needs_and_expectations_of_interested_parties}}

Nonconformities: {{form.Record_nonconformities_for_needs_and_expectations_of_interested_parties}}

Suggestions: {{form.Suggestions_for_needs_and_expectations_of_interested_parties}}

ISMS scope

Information: {{form.ISMS_scope_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_scope?}}

Conformities: {{form.Record_conformities_for_ISMS_scope}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_scope}}

Suggestions: {{form.Suggestions_for_ISMS_scope}}

Leadership

ISMS leadership

Information: {{form.ISMS_leadership_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_leadership?}}

Conformities: {{form.Record_conformities_for_ISMS_leadership}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_leadership}}

Suggestions: {{form.Suggestions_for_ISMS_leadership}}

ISMS policy

Information: {{form.ISMS_policy_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_policy?}}

Conformities: {{form.Record_conformities_for_ISMS_policy}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_policy}}

Suggestions: {{form.Suggestions_for_ISMS_policy}}

ISMS roles, responsibilities, and authorities

Information: {{form.ISMS_roles_and_responsibilities_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_roles_and_responsibilities?}}

Conformities: {{form.Record_conformities_for_ISMS_roles_and_responsibilities}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_roles_and_responsibilities}}

Suggestions: {{form.Suggestions_for_ISMS_roles_and_responsibilities}}

ISMS consultation and participation of workers

Information: {{form.Consultation_and_participation_of_workers_information}}

Any nonconformities?: {{form.Nonconformity_with_consultation_and_participation_of_workers?}}

Conformities: {{form.Record_conformities_for_consultation_and_participation_of_workers}}

Nonconformities: {{form.Record_nonconformities_for_consultation_and_participation_of_workers}}

Suggestions: {{form.Suggestions_for_consultation_and_participation_of_workers}}

Planning

Actions to assess ISMS risks and opportunities

ISMS risks information: {{form.ISMS_risks_information}}

Procedures for ISMS risk mitigation information: {{form.Procedures_for_engaging_ISMS_opportunities_information}}

ISMS opportunities information: {{form.ISMS_opportunities_information}}

Procedures for engaging ISMS opportunities information: {{form.Procedures_for_engaging_ISMS_opportunities_information}}

Any nonconformities?: {{form.Nonconformity_with_documentation_of_ISMS_risks_and_opportunities?}}

Conformities: {{form.Record_conformities_for_ISMS_risks_and_opportunities}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_risks_and_opportunities}}

Suggestions: {{form.Suggestions_for_ISMS_risks_and_opportunities}}

ISMS objectives and plans to achieve them

ISMS objectives information: {{form.ISMS_objectives_information}}

Plans to achieve ISMS objectives information: {{form.Plans_to_achieve_ISMS_objectives_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_objectives_and_plans_to_achieve_them?}}

Conformities: {{form.Record_conformities_with_ISMS_objectives_and_plans_to_achieve_them}}

Nonconformities: {{form.Record_nonconformities_with_ISMS_objectives_and_plans_to_achieve_them}}

Suggestions: {{form.Suggestions_for_ISMS_objectives_and_plans_to_achieve_them}}

Support

ISMS resources

Information: {{form.ISMS_resources_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_resources?}}

Conformities: {{form.Record_conformities_for_ISMS_resources}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_resources}}

Suggestions: {{form.Suggestions_for_ISMS_resources}}

ISMS competence

Information: {{form.ISMS_competence_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_competence?}}

Conformities: {{form.Record_conformities_for_ISMS_competence}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_competence}}

Suggestions: {{form.Suggestions_for_ISMS_competence}}

ISMS awareness

Information: {{form.ISMS_awareness_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_awareness?}}

Conformities: {{form.Record_conformities_for_ISMS_awareness}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_awareness}}

Suggestions: {{form.Suggestions_for_ISMS_awareness}}

ISMS communication

Information: {{form.ISMS_communication_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_communication?}}

Conformities: {{form.Record_conformities_for_ISMS_communication}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_communication}}

Suggestions: {{form.Suggestions_for_ISMS_communication}}

ISMS documented information

Information: {{form.ISMS_documented_information_notes}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_documented_information?}}

Conformities: {{form.Record_conformities_for_ISMS_documented_information}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_documented_information}}

Suggestions: {{form.Suggestions_for_ISMS_documented_information}}

Operation

ISMS operational planning and control

Information: {{form.ISMS_operational_planning_and_control_information}}

Any nonconformities?: {{form.Nonconformities_with_ISMS_operational_planning_and_control?}}

Conformities: {{form.Record_conformities_for_ISMS_operational_planning_and_control}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_operational_planning_and_control}}

Suggestions: {{form.Suggestions_for_ISMS_operational_planning_and_control}}

ISMS information security risk assessment procedures

Information: {{form.ISMS_information_security_risk_assessment_procedures_information}}

Any nonconformities?: {{form.Nonconformities_with_ISMS_information_security_risk_assessment_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_information_security_risk_assessment_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_information_security_risk_assessment_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_information_security_risk_assessment_procedures}}

ISMS information security risk treatment procedures

Information: {{form.ISMS_information_security_risk_treatment_procedures_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_information_security_risk_treatment_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_information_security_risk_treatment_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_information_security_risk_treatment_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_information_security_risk_treatment_procedures}}

Performance evaluation

Systems for assessing and monitoring ISMS performance

Information: {{form.Systems_for_monitoring_and_measuring_ISMS_performance_information}}

Any nonconformities?: {{form.Nonconformities_with_systems_for_monitoring_and_measuring_ISMS_performance?}}

Conformities: {{form.Record_conformities_for_systems_for_monitoring_and_measuring_ISMS_performance}}

Nonconformities: {{form.Record_nonconformities_for_systems_for_monitoring_and_measuring_ISMS_performance}}

Suggestions: {{form.Suggestions_for_systems_for_monitoring_and_measuring_ISMS_performance}}

ISMS internal audit procedures

Information: {{form.ISMS_internal_audit_procedures_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_internal_audit_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_internal_audit_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_internal_audit_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_internal_audit_procedures}}

ISMS management review procedures

Information: {{form.ISMS_management_review_procedures_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_management_review_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_management_review_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_management_review_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_management_review_procedures}}

Improvement

ISMS nonconformity and corrective action

Information: {{form.ISMS_nonconformity_and_corrective_action_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_nonconformity_and_corrective_action?}}

Conformities: {{form.Record_conformities_for_ISMS_nonconformity_and_corrective_action}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_nonconformity_and_corrective_action}}

Suggestions: {{form.Suggestions_for_ISMS_nonconformity_and_corrective_action}}

ISMS continuous improvement procedures

Information: {{form.ISMS_continuous_improvement_procedures_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_continuous_improvement_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_continuous_improvement_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_continuous_improvement_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_continuous_improvement_procedures}}

Audit reports should be issued within 24 hours of the audit to ensure the auditee is given opportunity to take corrective action in a timely, thorough fashion

If the report is issued several weeks after the audit, it will typically be lumped onto the “to-do” pile, and much of the momentum of the audit, including discussions of findings and feedback from the auditor, will have faded.

The lead auditor should prepare the audit report.

This task has been assigned a dynamic due date set to 24 hours after the audit evidence has been evaluated against criteria.

The audit report is the final record of the audit; the high-level document that clearly outlines a complete, concise, clear record of everything of note that happened during the audit.

Use the sub-checklist below to check off important items included within the audit report:

Use the form field below to upload the completed audit report.

As stressed in the previous task, that the audit report is distributed in a timely manner is one of the most important aspects of the entire audit process.

Use the email widget below to quickly and easily distribute the audit report to all relevant interested parties.

By default, the widget will send the report to:

• The auditee main point of contact (Auditee main point of contact)
• The audit programme manager (Audit programme manager email
• The lead auditor (Lead auditor email)

Should you want to distribute the report to additional interested parties, simply add their email addresses to the email widget below:

Depending on the outcome of the audit, there may be a need for follow-up action.

Follow-up action might include:

• Corrective action in response to nonconformities
• Opportunities for improvement
• Actions to address risks and opportunities

A time-frame should be agreed upon between the audit team and auditee within which to carry out follow-up action.

As part of the follow-up actions, the auditee will be responsible for keeping the audit team informed of any relevant activities undertaken within the agreed time-frame. The completion and effectiveness of these actions will need to be verified – this may be part of a subsequent audit.

In any case, recommendations for follow-up action should be prepared ahead of the closing meetingand shared accordingly with relevant interested parties.

Use the form fields below to record follow-up action suggestions.

Before the closing meeting, the audit team should make adequate preparations.

Make sure the following items are resolved ahead of the closing meeting:

Just like the opening meeting, it’s a great idea to conduct a closing meeting to orient everyone with the proceedings and outcome of the audit, and provide a firm resolution to the whole process.

The main point of the closing meeting should be to present audit findings and conclusions.

Lead auditors should be responsible for presenting audit findings and conclusions.

You can use the sub-checklist below as a kind of attendance sheet to make sure all relevant interested parties are in attendance at the closing meeting:

Once attendance has been taken, the lead auditor should go over the complete audit report, with special attention placed on:

Depending on the situation and context of the audit, formality of the closing meeting can vary.

For more formal audits, minutes and records of attendance can be kept.

For more informal (e.g. internal) audits, it can be sufficient to simply communicate audit findings and audit conclusions.

In any case, during the course of the closing meeting, the following should be clearly communicated to the auditee:

The audit is to be considered formally complete when all planned activities and tasks have been completed, and any recommendations or future actions have been agreed upon with the audit client.

All information documented during the course of the audit should be retained or disposed of, depending on:

• The nature of the information (sensitive, proprietary, etc.)
• Requirements for particular management system standards
• Any other agreements between relevant interested parties

It should be assumed that any information collected during the audit should not be disclosed to external parties without written approval of the auditee/audit client.

However, it may sometimes be a legal requirement that certain information be disclosed. Should that be the case, the auditee/audit client must be informed as soon as possible.

• ISO – ISO 27001:2013
• ISO – ISO 26000:2010
• ISO – ISO 19011:2018
• ISO – Consolidated ISO Supplement
• ISO – Management System Standards
• ISO – ISO 9001:2015
• ISO – ISO 45001:2018
• Samuel O. Idowu, Catalina Sitnikov, Lars Moratis – ISO 26000 – A Standardized View on Corporate Social Responsibility
• Martin Hinsch – ISO 9001:2015 for Everyday Operations
• David Lilburn Watson, Andrew Jones – Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements

Disclaimer:

1. Process Street is not affiliated or in partnership with the International Organization for Standardization (ISO). The materials on Process Street’s website are provided on an as-is basis and are for educational purposes. Process Street makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties including, without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights.
2. Further, Process Street does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on its website or otherwise relating to such materials or on any sites linked to this site.

• ISO 19011 Management Systems Audit Checklist
• ISO 9001 Internal Audit Checklist for Quality Management Systems
• ISO 45001 Occupational Health and Safety (OHS) Audit Checklist
• ISO 9001 and ISO 14001 Integrated Management System (IMS) Checklist
• ISO 9000 Structure Template
• ISO 9000 Marketing Procedures
• ISO 14001 Environmental Management Self Audit Checklist
• ISO 14001 EMS Structure Template
• ISO 14001 EMS Mini-Manual Procedures
• ISO 26000 Social Responsibility Performance Assessment Checklist
• FMEA Template: Failure Mode and Effects Analysis
• SWOT Analysis Template