Files

11 KiB

ISO 27001:2022 Implementation Audit Checklist

Organization Information

Field Value
Organization Name
ISMS Scope
Assessment Date
Assessor Name
Assessment Type Gap Analysis / Internal Audit / Stage 1 / Stage 2

Clause 4: Context of the Organization

4.1 Understanding the Organization and its Context

  • Internal issues identified and documented
  • External issues identified and documented
  • PESTLE analysis completed
  • Issues regularly reviewed and updated
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed
  • Notes: _______________

4.2 Understanding the Needs and Expectations of Interested Parties

  • Interested parties identified
  • Requirements of interested parties documented
  • Legal, regulatory, and contractual requirements identified
  • Requirements reviewed periodically
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

4.3 Determining the Scope of the ISMS

  • ISMS scope defined and documented
  • Scope considers internal and external issues (4.1)
  • Scope considers interested party requirements (4.2)
  • Scope considers interfaces and dependencies
  • Scope available as documented information
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

4.4 Information Security Management System

  • ISMS processes established
  • ISMS implemented and maintained
  • Continual improvement processes in place
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

Clause 5: Leadership

5.1 Leadership and Commitment

  • Top management demonstrates commitment to the ISMS
  • Information security policy and objectives aligned with strategic direction
  • ISMS requirements integrated into business processes
  • Adequate resources provided
  • Importance of information security communicated
  • ISMS achieves its intended outcomes
  • Persons directed and supported to contribute to ISMS effectiveness
  • Continual improvement promoted
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

5.2 Information Security Policy

  • Policy appropriate to the purpose of the organization
  • Policy includes information security objectives or framework for setting objectives
  • Policy includes commitment to satisfy applicable requirements
  • Policy includes commitment to continual improvement
  • Policy available as documented information
  • Policy communicated within the organization
  • Policy available to interested parties as appropriate
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

5.3 Organizational Roles, Responsibilities and Authorities

  • Information security roles and responsibilities assigned and communicated
  • Responsibility for ISMS conformance assigned
  • Responsibility for reporting ISMS performance assigned
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

Clause 6: Planning

6.1.1 General (Actions to Address Risks and Opportunities)

  • Risks and opportunities considered (referencing 4.1 and 4.2)
  • Actions planned to address risks and opportunities
  • Plans for integrating actions into ISMS processes
  • Plans for evaluating effectiveness of actions
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

6.1.2 Information Security Risk Assessment

  • Risk assessment process defined and documented
  • Risk acceptance criteria established
  • Criteria for performing risk assessments defined
  • Risk assessment process produces consistent, valid, and comparable results
  • Information security risks identified
  • Risk owners identified
  • Risk likelihood and impact assessed
  • Risk levels determined
  • Risk assessment results documented
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

6.1.3 Information Security Risk Treatment

  • Risk treatment options selected (mitigate, accept, avoid, transfer)
  • Controls determined for risk treatment
  • Controls compared with Annex A
  • Statement of Applicability produced
  • Risk treatment plan formulated
  • Risk owners approve risk treatment plan and residual risks
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

6.2 Information Security Objectives and Planning to Achieve Them

  • Objectives established at relevant functions and levels
  • Objectives consistent with information security policy
  • Objectives measurable (where practicable)
  • Objectives consider applicable requirements and risk assessment results
  • Objectives communicated
  • Objectives updated as appropriate
  • Plans: what will be done, resources, responsibilities, timelines, evaluation
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

6.3 Planning of Changes

  • Changes to ISMS carried out in a planned manner
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

Clause 7: Support

7.1 Resources

  • Resources needed for ISMS determined and provided
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

7.2 Competence

  • Competence requirements determined for ISMS roles
  • Competence ensured through education, training, or experience
  • Actions taken to acquire competence where needed
  • Evidence of competence retained
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

7.3 Awareness

  • Persons aware of information security policy
  • Persons aware of their contribution to ISMS effectiveness
  • Persons aware of implications of not conforming to ISMS requirements
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

7.4 Communication

  • Internal and external communication needs determined
  • What to communicate defined
  • When to communicate defined
  • With whom to communicate defined
  • How to communicate defined
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

7.5 Documented Information

  • Documented information required by ISO 27001 maintained
  • Additional documented information determined by organization maintained
  • Appropriate identification and description
  • Appropriate format (language, software version, graphics)
  • Appropriate review and approval
  • Documented information available and suitable for use
  • Adequate protection (loss of confidentiality, improper use, integrity loss)
  • Distribution, access, retrieval, and use controlled
  • Storage and preservation controlled
  • Control of changes maintained
  • Retention and disposition determined
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

Clause 8: Operation

8.1 Operational Planning and Control

  • Processes needed to meet ISMS requirements planned, implemented, and controlled
  • Criteria for processes established
  • Control of processes in accordance with criteria implemented
  • Documented information retained to demonstrate processes carried out as planned
  • Planned changes controlled
  • Unintended changes reviewed and actions taken to mitigate adverse effects
  • Outsourced processes controlled
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

8.2 Information Security Risk Assessment

  • Risk assessments performed at planned intervals
  • Risk assessments performed when significant changes occur
  • Results of risk assessments documented
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

8.3 Information Security Risk Treatment

  • Risk treatment plan implemented
  • Results of risk treatment documented
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

Clause 9: Performance Evaluation

9.1 Monitoring, Measurement, Analysis and Evaluation

  • What needs to be monitored and measured determined
  • Monitoring and measurement methods determined
  • When monitoring and measuring shall be performed determined
  • Who shall monitor and measure determined
  • When results shall be analysed and evaluated determined
  • Who shall analyse and evaluate results determined
  • Results of monitoring and measurement documented
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

9.2 Internal Audit

  • Internal audit programme planned (frequency, methods, responsibilities)
  • Audit programme considers importance of processes and previous audit results
  • Audit criteria and scope defined for each audit
  • Auditors selected to ensure objectivity and impartiality
  • Audit results reported to relevant management
  • Documented information retained as evidence of audit programme and results
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

9.3 Management Review

  • Management review conducted at planned intervals
  • Review considers status of actions from previous reviews
  • Review considers changes in external and internal issues
  • Review considers feedback on information security performance
  • Review considers feedback from interested parties
  • Review considers risk assessment results and treatment plan status
  • Review considers opportunities for continual improvement
  • Decisions on improvement opportunities documented
  • Decisions on changes needed to ISMS documented
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

Clause 10: Improvement

10.1 Continual Improvement

  • Suitability, adequacy, and effectiveness of ISMS continually improved
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

10.2 Nonconformity and Corrective Action

  • Nonconformities identified and reacted to
  • Actions taken to control and correct nonconformities
  • Consequences dealt with
  • Need for action to eliminate root cause evaluated
  • Corrective actions implemented
  • Effectiveness of corrective actions reviewed
  • Changes to ISMS made if necessary
  • Documented information retained on nature of nonconformities, actions taken, and results
  • Evidence: _______________
  • Status: Conforming / Minor NC / Major NC / Not Assessed

Summary

Category Total Items Conforming Minor NC Major NC Not Assessed
Clause 4
Clause 5
Clause 6
Clause 7
Clause 8
Clause 9
Clause 10
Total

Annex A Control Assessment (attach separately)

  • Total Applicable Controls: _____ / 93
  • Fully Implemented: _____
  • Partially Implemented: _____
  • Not Implemented: _____
  • Not Applicable: _____

Recommendations




Sign-off

Role Name Signature Date
Assessor
ISMS Manager
Top Management