Iso 27001 Audit Checklist .xls

Solutions Consent Management. GDPR Cookie Consent; CCPA Cookie Consent. View 377255011-iso-27001-compliance-checklist-xls.xls from ISO 2700 at University of Texas. ISO 27001 Compliance Checklist Reference Checklist Standard Audit area, objective. Iso-27001-compliance-checklist.xls - Free download as Excel Spreadsheet (.xls), PDF File (.pdf), Text File (.txt) or read online for free. Scribd is the world's largest social reading and publishing site.

  1. Iso 27001 Internal Audit Checklist
  2. Audit Checklist Template
  3. Iso 27001 Audit Checklist Xls Francais
  4. Aicpa Audit Checklist
Author: Dejan Kosutic

If you are planning your ISO 27001 or ISO 22301 internal audit for the first time, you are probably puzzled by the complexity of the standard and what you should check out during the audit. So, you’re probably looking for some kind of a checklist to help you with this task. Here’s the bad news: there is no universal checklist that could fit your company needs perfectly, because every company is very different; but the good news is: you can develop such a customized checklist rather easily.

The steps in the internal audit

Let’s see which steps you need to take to create a checklist, and where they are used. By the way, these steps are applicable for internal audit of any management standard, e.g. ISO 9001, ISO 14001, etc.:


Iso 27001 internal audit checklist xls
  1. Document review. In this step you have to read all the documentation of your Information Security Management System or Business Continuity Management System (or part of the ISMS/BCMS you are about to audit) in order to: (1) become acquainted with the processes in the ISMS, and (2) to find out if there are nonconformities in the documentation with regard to ISO 27001 or ISO 22301.
  2. Creating the checklist. Basically, you make a checklist in parallel to Document review – you read about the specific requirements written in the documentation (policies, procedures and plans), and write them down so that you can check them during the main audit. For instance, if the Backup policy requires the backup to be made every 6 hours, then you have to note this in your checklist, to remember later on to check if this was really done.
  3. Planning the main audit. Since there will be many things you need to check out, you should plan which departments and/or locations to visit and when – and your checklist will give you an idea on where to focus the most.
  4. Performing the main audit. The main audit, as opposed to document review, is very practical – you have to walk around the company and talk to employees, check the computers and other equipment, observe physical security, etc. A checklist is crucial in this process – if you have nothing to rely on, you can be certain that you will forget to check many important things; also, you need to take detailed notes on what you find.
  5. Reporting. Once you finish your main audit, you have to summarize all the nonconformities you found, and write an Internal audit report – of course, without the checklist and the detailed notes you won’t be able to write a precise report. Based on this report, you or someone else will have to open corrective actions according to the Corrective action procedure.
  6. Follow-up. In most cases, the internal auditor will be the one to check whether all the corrective actions raised during the internal audit are closed – again, your checklist and notes can be very useful here to remind you of the reasons why you raised a nonconformity in the first place. Only after the nonconformities are closed is the internal auditor’s job finished.

Making your checklist usable for beginners

So, developing your checklist will depend primarily on the specific requirements in your policies and procedures.

But if you are new in this ISO world, you might also add to your checklist some basic requirements of ISO 27001 or ISO 22301 so that you feel more comfortable when you start with your first audit. First of all, you have to get the standard itself; then, the technique is rather simple – you have to read the standard clause by clause and write the notes in your checklist on what to look for.

By the way, the standards are rather difficult to read – therefore, it would be most helpful if you could attend some kind of training, because this way you will learn about the standard in a most effective way. (Click here to see a list of ISO 27001 and ISO 22301 webinars.)

What to include in your checklist

Normally, the checklist for internal audit would contain 4 columns:

Iso 27001 Audit Checklist .xls
  • Reference – e.g. clause number of the standard, or section number of a policy, etc.
  • What to look for – this is where you write what it is you would be looking for during the main audit – whom to speak to, which questions to ask, which records to look for, which facilities to visit, which equipment to check, etc.
  • Compliance – this column you fill in during the main audit, and this is where you conclude whether the company has complied with the requirement. In most cases this will be Yes or No, but sometimes it might be Not applicable.
  • Findings – this is the column where you write down what you have found during the main audit – names of persons you spoke to, quotes of what they said, IDs and content of records you examined, description of facilities you visited, observations about the equipment you checked, etc.

Iso 27001 Internal Audit Checklist

Don’t be afraid

Iso 27001 audit checklist .xls risk assessment

So, performing the internal audit is not that difficult – it is rather straightforward: you need to follow what is required in the standard and what is required in the ISMS/BCMS documentation, and find out whether the employees are complying with those rules.

If you have prepared your internal audit checklist properly, your task will certainly be a lot easier.

Learn how to perform an internal audit in this freeISO 27001 Internal Auditor Online Course.

Logic

Audit Checklist Template

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

If you are planning your ISO 27001 audit, you may be looking for some kind of an ISO 27001 audit checklist, such a as free ISO PDF Download to help you with this task.

Although they are helpful to an extent, there is no tick-box universal checklist that can simply be “ticked through” for ISO 27001 or any other standard.

Every company is different. And if an ISO management system for that company has been specifically written around it’s needs (which it should be!), each ISO system will be different. The internal auditing process will be different. We explain this in more depth elsewhere in our blogs. You could always call us, too!

However, you can create your own basic ISO 27001 audit checklist, customised to your organisation, without too much trouble. Read on to find out how.
Basics

By the way, We’re taking a broad, simple approach in this blog. But for the best results, we’d recommend some training to make the whole process much easier. However, sharing some basics will, at least, demystify the process and provide a basic framework.

And these broad principles are applicable for internal audit of other standards, such as ISO 9001, ISO 14001, etc.:

Iso 27001 Audit Checklist .xls

So, some basic steps in the process:-

Document review.

Quite simple! Read your Information Security Management System (or part of the ISMS you are about to audit). You will need to understand processes in the ISMS, and find out if there are non-conformities in the documentation with regard to ISO 27001. A call to your friendly ISO Consultant might help here if you get stuck(!)

Creating the checklist.

Also quite simple – make a checklist based on the document review, i.e., read about the specific requirements of the policies, procedures and plans written in the documentation and write them down so that you can check them during the main audit. For example, if the data backup policy requires the backup to be made every 6 hours, then you have to note this in your checklist in order to check if it really does happen. Take time and care over this! – it is foundational to the success and level of difficulty of the rest of the internal audit, as will be seen later.

Planning the main audit.

Iso 27001 Audit Checklist Xls Francais

Or “make an itinerary for a grand tour”(!) . Plan which departments and/or locations to visit and when – your checklist will give you an idea on the main focus required.

Performing the main audit.

It is astonishingly practical! Walk around the company talk to staff, check computers and other equipment, observe physical security, etc. Your previously-prepared ISO 27001 audit checklist now proves it’s worth – if this is vague, shallow, and incomplete, it is probable that you will forget to check many key things. And you will need to take detailed notes.

Reporting.

Summarize all the non-conformities and write the Internal audit report. With the checklist and the detailed notes, a precise report should not be too difficult to write. From this, corrective actions should be easy to record according to the documented corrective action procedure.

Follow-up.

It’s the internal auditor’s job to check whether all the corrective actions identified during the internal audit are addressed. The checklist and notes from “walking around” are once again crucial as to the reasons why a nonconformity was raised. The internal auditor’s job is only finished when these are rectified and closed, and the ISO 27001 audit checklist is simply a tool to serve this end, not an end in itself!

Checklist Format – Some Basic Guidelines

A suggestion to aid simplicity! We’d recommend 4 columns as follows:-

Reference– e.g. the clause number, section number of a policy, within the standard.

Iso 27001 Audit Checklist .xls

Aicpa Audit Checklist

What to look for– what to examine, monitor, etc., during the main audit – whom to speak to, which questions to ask, records to look for, facilities to visit, equipment to check, etc.

Compliance– Simply, has the company has complied with the requirement? Yes or No, or occasionally “not applicable”.

Findings – Details of the more-specific “findings” of the main audit I.e. staff spoken to, quotes of what they said, IDs and content of records examined, description of facilities visited, observations about the equipment checked, etc.

So,the internal audit of ISO 27001, based on an ISO 27001 audit checklist, is not that difficult – it is rather straightforward: you need to follow what is required in the standard and what is required in the documentation, finding out whether staff are complying with the procedures.

With a good ISO 27001 audit checklist audit checklist, your task will certainly be a lot easier.

And if you need our help, or even want us to run some training for you, please drop us a line! .

  1. Ankita on 3rd June 2016 at 13:41

    Great strategies you shared. I am new to the scene. I will be implementing these tomorrow. Thanks!