INTERNAL

AUDIT
CHECKLIST -
ISO 27001-2022

QUALITY MANAGEMENT PROFESSIONALS

linkedin.com/company/qmsprofessionals
 ISO 27001:2022
Information Security, Cybersecurity, and
Privacy Protection

Internal Audit Checklist

Organization Name
CONTEXT
THE ORGANISATION

☐ Have we determined internal and external issues that will impact on our information security
management system? “NO/YES”

☐ Have we determined which stakeholder requirements are addressed through the information
security management system? “NO/YES”

Interested Parties

☐ Have we determined what internal and external interested parties are relevant to the information
security management system and what their requirements are? “NO/YES”

Scope

☐ Have we determined the boundaries of the information security

management system and documented the scope? “NO/YES”

Leadership
Leadership and Commitment

☐
Can we demonstrate top management is providing leadership and commitment to the
information security management system? “NO/YES”

Information Security Policy

☐ Have we documented an information security policy that is
communicated and available? “NO/YES”

Roles and Responsibilities

☐ Are roles and responsibilities for information security communicated and understood? “NO/YES”
Planning
Risks and Opportunities

☐ Have we determined the information security risks and opportunities related to our
organization? “NO/YES”

☐ Have we implemented a documented information security risk assessment process? “NO/YES”

Statement of Applicability

☐ Have we documented a risk treatment plan and Statement of Applicability with regard to controls?
“NO/YES”

Information Security Objectives

☐ Have we established information security objectives? “NO/YES”

☐ Are our information security objectives available as documented information? “NO/YES”

☐ Do we monitor, measure, and communicate them? “NO/YES”

☐ Do we have plans to achieve them? “NO/YES”

☐ Have we maintained records? “NO/YES”

Planning of changes

☐ Are changes to the information security management system carried out in a manner that is planned? “NO/YES”
Support
Resources

☐ Have we determined and ensured necessary resources are in place for the information security
management system? “NO/YES”

Competence
☐ Do we ensure competence of personnel? “NO/YES”

☐ Do we maintain records? “NO/YES”

Awareness
☐ Have we ensured that personnel are aware of our policy, relevant objectives, and their
responsibilities? “NO/YES”
Communication

☐ Have we determined processes for internal and external communication relevant to information
security? “NO/YES”
Control of Documents

☐ Do we ensure documents and records are controlled? “NO/YES”

Operations
Operational Planning and Control

☐ Have we established and maintained procedures to meet the requirements of the information security
management system? “NO/YES”

☐ Have we established criteria for processes, and do we maintain control of the processes in accordance
with these criteria? “NO/YES”

Risk Assessment

☐ Do we assess risk at planned intervals and when significant changes occur, and do we maintain records?
“NO/YES”

Risk Treatment

☐ Have we implemented risk treatment plans, and do we maintain records? “NO/YES”

Performance Evaluation
Monitoring & Measurement

☐ Do we monitor things such as processes, operational controls, access, usage, change? “NO/YES”

☐ Do we measure things such as KPIs, performance against targets? “NO/YES”

☐ Do we analyse this information and maintain records? “NO/YES”

Internal Audit

☐
Do we plan and conduct internal audits to ensure the information security system conforms to
requirements and is implemented effectively? “NO/YES”

☐ Do we maintain records? “NO/YES”

Management Review

☐
Does our top management review our information security management system at planned intervals?
“NO/YES”

☐ Do we maintain records? “NO/YES”

☐
Do we include decisions relating to continual improvement and any need for changes in the
documented results of the management reviews? “NO/YES”
Improvement
Continual Improvement

☐ Do we continually improve the information security management system? “NO/YES”

Nonconformity and Corrective Action

☐ Do we take control of, correct and deal with the consequences of nonconformities raised? “NO/YES”

☐ Do we review and determine the root cause of the nonconformity? “NO/YES”

☐
Do we review the effectiveness of corrective action taken and use this knowledge to make changes or
improvements to the information security management system? “NO/YES”

☐ Do we maintain records? “NO/YES”

 ANNEX A
Control Status
5 Organizational Controls

5.1 Policies for A set of information security policies relevant to

information interested parties
security
5.2 Information security Defining and allocating roles and responsibilities within the
roles and responsibilities information security management system as appropriate and in
accordance with organizational
needs
5.3 Segregation of duties Conflicting duties and areas of responsibility are
handled separately from each other
5.4 Management Management ensures all personnel are applying information
responsibilities security in accordance with the established policies and
procedures of the organisation

5.5 Contact with Contact with relevant authorities is established and

authorities maintained by the organisation
5.6 Contact with Contact with special interest groups, specialist
special interest security forums and/or professional associations is established and
groups maintained by the organisation
5.7 Threat intelligence The organisation collects and analyses information relating to
information security threats
5.8 Information security Information security is integrated into management of
in projects
project management
5.9 Inventory of Development and maintenance of an inventory of
information and information and other associated assets, including
other associated owners
assets
5.10 Acceptable use of Defined, documented, and implemented rules for the acceptable use
information and other and procedures for handling information and other associated assets
Associated assets
5.11 Return of assets Assets belonging to the organisation in the possession of
personnel and other interested parties are returned to the
organisation upon change to or termination of their
employment, contract, or agreement

5.12 Classification of Information is classified based on confidentiality, integrity,

information availability, and relevant interested party requirements

5.13 Labelling of A set of defined, documented, and implemented

information procedures for labeling of information aligned with the
information classification scheme
5.14 Information transfer Defined and implemented rules, procedures, or
agreements for all types of transfer facilities within
 the organisation as well as between the organisation and
other parties
5.15 Access control Defined and documented rules to control physical and
logical access to information
5.16 Identity management Management of identities for their full life cycle

5.17 Authentication information Allocation and management of authentication

information, such as usernames and passwords, is
controlled by a management process that includes
advising personnel on appropriate handling of
authentication information
5.18 Access rights Provisioning, reviewing, and monitoring of access rights to
information and other assets in accordance with the
relevant policy and rules for access control
5.19 Information security in Defined and implemented processes and procedures for
supplier relationships managing information security risks associated with the use
of supplier products or services
5.20 Addressing information Establishing and agreeing upon information security
security within requirements in supplier relationships
supplier agreements
5.21 Managing information Defined and implemented processes and procedures to
security in the information and manage information security risks associated with ICT
communication technology products and services supply chain
(ICT)supply chain
5.22 Monitoring, review and Regular monitoring, review, and evaluation of changes
change management of in supplier information security practices
supplier
services
5.23 Information security for use of Establishing processes for the acquisition, use,
cloud services management, and exit from cloud services in
accordance with the organisational information
security requirements
5.24 Information security Defined, implemented, and communicated processes as
incident management well as roles and responsibilities for management of an
planning and preparation information security incident

5.25 Assessment and decision on Assessing information security events to determine if they
information security events are to be categorised as information security incidents

5.26 Response to information Documented and implemented procedures on

security appropriate response to information security
incidents incidents
5.27 Learning from information Strengthening and improving controls based on
security incidents knowledge gained from information security incidents

5.28 Collection of evidence Establishing and implementing procedures for

identification, collection, acquisition, and
preservation of evidence relating to information
security events
5.29 Information security Developing a plan to maintain information security at an
during appropriate level during disruption
disruption
5.30 ICT readiness for Implementing processes so the organisation can continue
business continuity operations as usual in case of a disruption
that affects ICT
5.31 Legal, statutory, Identifying, documenting and keeping up to date with legal,
regulatory, and contractual statutory, regulatory and contractual requirements relevant to
requirements information security
5.32 Intellectual property Implementing appropriate procedures to protect
rights intellectual property rights
5.33 Protection of records Storing records such that they are protected from loss,
destruction, falsification, unauthorised access,
and unauthorised release
5.34 Privacy and Identifying and meeting relevant requirements regarding
protection of personal preservation of privacy and protection of PII
identifiable information
(PII)
5.35 Independent Independent reviews at planned intervals, or when significant
review of information changes occur, of the organisational approach to managing
security information security and its implementation including people,
processes, and technologies

5.36 Compliance with Regularly reviewing organisational compliance with its

policies, rules, and information security policy and topic-specific policies, rules,
standards for and standards
information security
5.37 Documented Documented procedures for information processing
operating facilities
procedures
6 People Controls
6.1 Screening Conducting background checks on all candidates prior to
joining the organisation as well as on an ongoing basis

6.2 Terms and Documenting both personnel and organisational

conditions of responsibilities for information security in
employment employment contractual agreements
6.3 Information Regularly providing personnel of the organisation and other relevant
security awareness, interested parties appropriate information security awareness,
education, and education, and
training training as well as updates of the organisation’s information security
policy, topic-specific policies, and procedures as appropriate to their
job
6.4 Disciplinary process Formalising and communicating a process to take actions against
personnel and other relevant interested parties who violate
information security
policies
6.5 Responsibilities Defining, enforcing, and communicating to relevant personnel
after termination and interested parties the responsibilities and duties that
remain after termination or change of employment
or change of
employment
6.6 Confidentiality Documenting and regularly reviewing confidentiality or non-
or non-disclosure disclosure agreements signed by personnel and other relevant
agreements parties as per organisational
needs
6.7 Remote working Implementing security measures when personnel are
working remotely such that information accessed,
processed, or stored outside the organisation’s premises is
protected
6.8 Information Providing a method by which personnel can report observed
security event or suspected information security events through
reporting appropriate channels and in a timely manner
7 Physical Controls
7.1 Physical security Defining security perimeters to protect areas that
perimeters contain information and other associated assets
7.2 Physical entry Protecting secure areas with appropriate entry
controls and access points
7.3 Securing offices, Designing and implementing physical security for offices, rooms,
rooms, and facilities and facilities
7.4 Physical security Continuous monitoring of premises for unauthorised
monitoring physical access
7.5 Protecting against Designing and implementing infrastructure to protect against
physicaland physical and environmental threats such as natural disasters
environmental threats
7.6 Working in secure areas Designing and implementing security measures for
working in secure areas
7.7 Clear desk and clear Defining and enforcing clear desk rules for papers and
screen removable storage, as well as clear screen rules for
information processing facilities
7.8 Equipment siting and Securely siting and protecting equipment
protection
7.9 Security of Protecting assets that are stored off-site
assets off-
premises
7.10 Storage media Managing storage media through their life cycle of
acquisition, use, transportation, and disposal in
accordance with the organisation’s classification scheme
and handling requirements
7.11 Supporting utilities Protecting information processing facilities from
power failures and other disruptions
7.12 Cabling security Protecting cables carrying power, data, or supporting
information services from interception, interference, or
damage
7.13 Equipment Maintaining equipment correctly to ensure the
maintenance availability, integrity, and confidentiality of
information
7.14 Secure disposal or re- Verifying items of equipment containing storage media to
use of ensure that any sensitive data and licensed
equipment
 software has been removed or securely overwritten prior
to disposal or re-use
8 Technological Controls
8.1 User end point devices Protecting information stored on, processed by, or
accessible via user end point devices
8.2 Privileged access rights Restricting and managing the use or privileged access rights

8.3 Information access Restricting access to information and other

restriction associated assets in accordance with the
organisation’s access control policy
8.4 Access to source code Managing read and write access to source code,
development tools and software libraries
8.5 Secure authentication Implementing secure authentication technologies and
procedures based on access restrictions and the
organisation’s access control policy
8.6 Capacity management Monitoring and adjusting the use of resources in line with current
and expected capacity requirements
8.7 Protection against Implementing malware protection supported by user
malware awareness
8.8 Management of Obtaining information about technical vulnerabilities,
technical evaluating the organisation’s exposure to such
vulnerabilities vulnerabilities, and taking appropriate measures
8.9 Configuration Establishing, documenting, implementing, monitoring, and
management reviewing configurations including
security configurations of hardware, software, services, and
networks
8.10 Information deletion Deleting information stored in information systems, devices, or
other storage media when the information is no longer required

8.11 Data masking Masking data as appropriate and in accordance with the
organisation’s access control policy and other relevant
legislation
8.12 Data leakage Applying measures to systems, networks, and any other devices
prevention that process, store, or transmit
sensitive data to prevent leakage of data
8.13 Information backup Maintaining backup copies of information, software, and
systems
8.14 Redundancy of Implementing sufficient redundancy in information
information processing processing systems to meet availability requirements
facilities
8.15 Logging Producing, storing, protecting, and analysing logs that record
activities, exceptions, faults, and other
relevant events
8.16 Monitoring activities Monitoring networks, systems, and applications for unusual
behaviour and taking appropriate actions to
evaluate potential for information security events
8.17 Clock synchronisation Synchronising clocks of information processing
systems to approve time sources
8.18 Use of privileged Restricting the use of utility programs that can
utility override system and application controls
programs
8.19 Installation of Implementing procedures to securely manage installation of
software on operational software on operational systems
systems
8.20 Networks security Securing, managing, and controlling networks and network
devices to protect information in systems and applications

8.21 Security of network Implementing and monitoring security mechanisms,

services service levels, and service requirements of network services

8.22 Segregation of Segregating groups of information services, users, and

networks information systems in the organisation’s networks

8.23 Web filtering Managing access to external websites to reduce

exposure to malicious content
8.24 Use of cryptography Defining and implementing rules for effective use of
cryptography, including cryptographic key management

8.25 Secure Establishing and applying rules for the secure

development lifecycle development of software and systems
8.26 Application security Identifying information security requirements when
requirements developing or acquiring applications
8.27 Secure system Establishing, documenting, maintaining, and applying principles for
architecture and engineering secure systems to all information system development
engineering principles activities
8.28 Secure coding Applying secure coding principles to software
development
8.29 Security testing in Defining and implementing processes for security
development and testing within the development life cycle
acceptance
8.30 Outsourced Monitoring and reviewing development activities that have
development been outsourced
8.31 Separation of Secure, separate environments for development, testing, and
development, test, and production
production environments
8.32 Change management Procedures implemented to manage changes to
information processing facilities and information
systems
8.33 Test information Appropriate selection, protection, and management of
information used for testing
8.34 Protection of Planning and appropriately managing audit tests and other
information systems assurance activities of operational systems
during audit testing
THANK YOU

STAY TUNED

FOLLOW,LIKE & COMMENT

QUALITY MANAGEMENT PROFESSIONALS
linkedin.com/company/qmsprofessionals