ISO/IEC 27001 Audit Checklist

4. Information security management system

4.2.1a) Review the documented ‘scope and boundaries’ of the ISMS, particularly any exclusions.  To what extent does the ISMS match the organization?  Are there justified reasons for excluding any elements?

4.2.1b) Review the organization’s ISMS policy.  Does it adequately reflect the organization’s general characteristics and its strategic risk management approach?  Does it incorporate the organization’s business requirements plus any legal or regulatory obligations for information security?  Confirm that it has been formally approved by management and sets meaningful criteria for evaluating information security risks.  [Note: in the context of ISO/IEC 27001, “ISMS policy” refers to management’s statement of the main information security objectives or requirements, the overarching broad principles of information security.  The more detailed information security policies, standards, procedures and guidelines will be reviewed under 4.2.1 and 4.2.2].

4.2.1c) Ascertain and review the organization’s choice/s of risk assessment method/s (whether bespoke or a generally-accepted method – see ISO/IEC 27005, when issued, for further guidance).  Are the results of risk assessments comparable and reproducible?  Look for any examples of anomalous results to determine how they were addressed and resolved.  Was the risk assessment method updated as a result?  Also review management’s definition of criteria to accept or mitigate risks (the “risk appetite”).  Is the definition sensible and practicable in relation to information security risks?

4.2.1d) and e) Review the information asset inventory and information security risks identified by the organization.  Are all relevant in-scope information assets included?  Are accountable owners identified for all the assets?  Review the analysis/evaluation of threats, vulnerabilities and impacts, the documentation of risk scenarios plus the prioritization or ranking of risks.  Look for risks that are materially mis-stated or under-played, for example those where the corresponding controls are expensive or difficult to implement, perhaps where the risks have been misunderstood.

4.2.1f) Review the organization’s Risk Treatment Plan.  Are appropriate “treatments” (i.e. mitigation through applying suitable controls, avoiding the risk, transferring the risk to third parties or knowingly accepting the risks if they fall within management’s risk appetite) specified for all identified risks?  Look for gaps and other anomalies.  Check also whether recent changes (e.g. new IT systems or business processes) have been suitably incorporated, in other words is the Risk Treatment Plan being used and updated proactively as an information security management tool?

4.2.1g) For those information security risks that are to be mitigated, review the defined control objectives and selected controls using suitable sampling e.g. stratified sampling by types of control (technical, physical, procedural or legal), by risk ranking (high, medium or low), by location (business units, sites/buildings etc.) or by other audit sampling criteria.  Compare the objectives and controls against those suggested by ISO/IEC 27002 and summarized in Annex A of ISO/IEC 27001, in particular identifying and reviewing any significant discrepancies from the standards (e.g. commonplace objectives or controls from the standards that are not used by the organization, or any that may have been added).  Also check that any information security requirements explicitly mandated by corporate policies, industry regulations, laws or contracts etc. are properly reflected in the documented control objectives and controls.  [Note: the ISM audit checklist in Appendix B may prove useful in auditing the controls, but beware of sinking too much audit time into this one aspect]

4.2.1h) Briefly evaluate the residual information security risks.  Has management formally considered and approved them?  Are they within the organization’s defined risk appetite?

4.2.1i) Confirm whether management has authorized the implementation and operation of the ISMS, for example through a formal memorandum, project approval, letter of support from the CEO etc.  Is this a mere formality or is there evidence that management genuinely understands and supports the ISMS?

4.2.1j) Review the organization’s Statement of Applicability documenting and justifying the control objectives and controls, both those that are applicable and any that have been excluded/deselected.   Confirm that suitable entries exist for all control objectives and controls listed in Annex A of ISO/IEC 27001.  Has the Statement of Applicability been reviewed and endorsed/authorized by an appropriate level of management?

4.2.2  Review the ISMS as implemented and operated against the documented  ISMS requirements by sampling (see 4.2.1g and Annex A of ISO/IEC 27001).  Look for evidence supporting or refuting the correlation between documented risks and controls and those actually in operation.  

4.2.3  Review the ISMS monitoring and review processes using evidence such as plans, minutes of review meetings, management review/internal audit reports, breach/incident reports etc.  Assess the extent to which processing errors, security breaches and other incidents are detected, reported and addressed.  Determine whether and how the organization is effectively and proactively reviewing the implementation of the ISMS to ensure that the security controls identified in the Risk Treatment Plan, policies etc. are actually implemented and are in fact in operation.  Also review ISMS metrics and their use to drive continuous ISMS improvements.

4.2.4  Review the means by which the need for ISMS improvements are determined and improvements are implemented.  Look for evidence in the form of management memos, reports, emails etc. documenting the need for improvements, authorizing them and making them happen.

4.3.1  Review ISMS documentation including:

-ISMS policy statements, control objectives, procedures, standards, guidelines etc.

-ISMS scope

-Management’s choice of risk assessment method/s plus the risk assessment report/s arising and the Risk Treatment Plan

-Other procedures relating to the planning, operation and review of the ISMS

-ISMS records (see 4.3.3)

-The Statement of Applicability

4.3.2  Check for the presence of, and compliance with, a documented procedure for controlling updates to ISMS documentation, policies, procedures, records etc.  Determine whether ISMS documentation changes are formally controlled e.g. changes are reviewed and pre-approved by management, and are promulgated to all users of the ISMS documentation e.g. by updating a definitive reference set of materials maintained on the corporate intranet and/or explicitly notifying all applicable users.

4.3.3  Evaluate the controls protecting important ISMS records such as various information security review and audit reports, action plans, formal ISMS documents (including changes to same), visitors’ books, access authorization/change forms etc.  Review the adequacy of controls over the identification, storage, protection, retrieval, retention time and disposition of such records, particularly in situations where there are legal, regulatory or contractual obligations to implement an ISMS in compliance with ISO/IEC 27001 (e.g. to protect personal data).

5. Management responsibility

5.1  Review the extent of management commitment to information security, using evidence such as:
– Formal management approval of the ISMS policy manual
-Management acceptance of ISMS objectives and implementation plans, along with the allocation of adequate resources and assignment of suitable priorities to the associated activities (see also 5.2.1)-
-Clear roles and responsibilities for information security including a process for allocating and accepting accountability for the proper protection of valuable information assets
-Management memoranda, emails, presentations, briefings etc. expressing support for and commitment to the ISMS Risk acceptance criteria, risk appetite etc. relating to information security risks
-The scoping, resourcing and initiation of internal audits and management reviews of the ISMS
5.2.1  Review the resources allocated to the ISMS in terms of budget, manpower etc., in relation to the organization’s stated aims for the ISMS and (where applicable) by comparison to comparable organizations (benchmarking).  Is the ISMS adequately funded in practice?  Are sufficient funds allocated by management to address information security issues in a reasonable timescale and to a suitable level of quality?

5.2.2  Review the training of those specifically involved in operating the ISMS, and general information security awareness activities targeting all employees.  Are necessary competencies and training/awareness requirements for information security professionals and others with specific roles and responsibilities explicitly identified?  Are training/awareness budgets adequate to fund the associated training and awareness activities?  Review training evaluation reports etc. and seek evidence to confirm that any necessary improvement actions have in fact been taken.  Check by sampling that employee HR records note ISMS-related training etc. (where applicable).  Assess the general level of information security awareness by surveying/sampling, or review the results of surveys/samples conducted as part of the ISMS.

6.  Internal ISMS audits

6  Review the organization’s internal audits of the ISMS, using ISMS audit plans, audit reports, action plans etc.  Are responsibilities for conducting ISMS internal audits formally assigned to competent, adequately trained IT auditors?  Determine the extent to which the internal audits confirm that the ISMS meets its requirements defined in ISO/IEC 27001 plus relevant legal, regulatory or contractual obligations, organizational ISMS requirements specified through the risk assessment process.  Check that agreed action plans, corrective actions etc. are generally being addressed and verified within the agreed timescales, paying particular attention to any currently overdue actions for topical examples.

Management review of the ISMS

7.1  Determine when management has previously reviewed the ISMS, and when it next plans to do so.  Such reviews must occur at least once a year.  The frequency of reviews must be defined e.g. in the ISMS policy or ISM policy manual.
7.2  By reviewing management reports and other records, and/or by interviewing those  who were involved, check what went in to the previous management review/s (ISO/IEC 27001 identifies nine items such as the results of other audits/reviews, feedback and  improvement suggestions, information on vulnerabilities and threats etc.).  Assess the extent to which management played an active part and was fully engaged in the review/s.
7.3  Check the outputs of any previous management review/s including key management decisions, action plans and records relating to the confirmation that agreed actions were duly actioned.  If necessary, confirm that closed actions have in fact been properly completed, focusing perhaps on any that were not completed promptly or on time.

8  ISMS improvement

8.2  Obtain and review information relating to ISMS corrective actions such as reports and action plans from ISMS management review/s or audits (see 7.3), ISMS change requests, budget/investment proposals and business cases etc.  Seek evidence that the ISMS is in fact being materially improved as a result of the feedback – more than just fine words, check the documentation relating to closure of action plan items etc. to confirm whether nonconformities and their root causes are actually being resolved by management within reasonable timescales.  Review that the corrective actions taken address the root cause of the nonconformities and are effective.
8.3  In addition to making ISMS improvements resulting from actual nonconformities previously identified,  determine whether the organization takes a more proactive stance towards addressing potential improvements, emerging or projected new requirements etc.  Seek evidence of ISMS changes (such as adding, changing or removing information security controls) in response to the identification of significantly changed risks.

for more information please visit AECISO

Leave a Reply

Your email address will not be published. Required fields are marked *