List of Comprehensive ISO 27001 Checklist for ISO 27001 Certification. Detailed ISO 27001 Audit Checklist covering each of ISO 27001 requirements enable ISO 27001 Compliance.
ISO 27001 checklist is useful for carrying out thorough ISO 27001 compliance audit. The ISO 27001 audit Checklist is the ultimate ready reckoner for conducting value added in depth ISMS audit. The compliance checklist on ISO 27001 is helpful for organization seeking ISO 27001 certification, maintaining the ISO 27001 certificate, and establishing a solid ISMS framework. ISO 27001 checklist is prepared by industry experts who are Principal auditors and Lead Instructors of Information Security.
For conduct of ISO 27001 audit by using the Comprehensive ISO 27001 Checklist, consideration of the following factors would be highly beneficial to the ISMS auditor team.
An ISO 27001 audit can be performed using a range of ISMS audit methods. An explanation of commonly used ISO 27001 audit methods is described here. The Information Security audit methods chosen for an audit depend on the defined ISMS audit objectives, scope and criteria, as well as duration and location. Available auditor competence and any uncertainty arising from the application of audit methods should also be considered. Applying a variety and combination of different ISMS audit methods can optimize the efficiency and effectiveness of the audit process and its outcome.
Performance of an ISO 27001audit involves an interaction among individuals with the Information Security management system being audited and the technology used to conduct the audit. Examples of ISO 27001 audit methods that can be used are provided below, singly or in combination, in order to achieve the audit objectives. If an ISMS audit involves the use of an audit team with multiple members, both on-site and remote methods may be used simultaneously.
The audit team members should collect and review the information relevant to their audit assignments and prepare work documents, as necessary, for reference and for recording audit evidence. Such work documents may include ISO 27001 Checklist.
The use of ISO 27001 Compliance checklist and forms should not restrict the extent of audit activities, which can change as a result of information collected during the ISMS audit.
Extent of involvement between the Information Security auditor and the auditee
Human interaction at Site
Conducting interviews.
Completing ISO 27001 checklists and ISO 27001 assessment questionnaire with auditee participation.
Conducting document review with auditee participation.
Sampling.
Human interaction at Remote
Via interactive communication means:
conducting interviews;
completing ISO 27001 audit checklists and questionnaires;
conducting document review with auditee participation.
Minimal human interaction at site for
Conducting document review (e.g. records, data analysis).
Observation of work performed.
Conducting on-site visit.
Completing ISO 27001checklists.
Sampling (e.g. products).
Minimal human interaction at Remote for
Conducting document review (e.g. records, data analysis).
Observing work performed via surveillance means, considering social and legal requirements.
Analyzing data.
On-site audit activities are performed at the location of the auditee. Remote audit activities are performed at any place other than the location of the auditee, regardless of the distance.
Interactive audit activities involve interaction between the auditee’s personnel and the audit team. Non-interactive audit activities involve minimal or no human interaction with persons representing the auditee but do involve interaction with equipment, facilities and documentation.
The responsibility of the effective application of information Security audit methods for any given audit in the planning stage remains with either the person managing the audit program or the audit team leader. The audit team leader has this responsibility for conducting the audit activities.
The feasibility of remote audit activities can depend on the level of confidence between auditor and auditee’s personnel.
On the level of the audit program, it should be ensured that the use of remote and on-site application of audit methods is suitable and balanced, in order to ensure satisfactory achievement of audit program objectives.
Conducting document review during ISO 27001 Audit
Document review can give an indication of the effectiveness of Information Security document control within the auditee’s ISMS. The auditors should consider if the information in the ISMS documents provided is:
— complete (all expected content is contained in the document);
— correct (the content conforms to other reliable sources such as standards and regulations);
— consistent (the document is consistent in itself and with related documents);
— current (the content is up to date);
— the documents being reviewed cover the audit scope and provide sufficient information to support the
audit objectives;
— the use of information and communication technologies, depending on the audit methods, promotes
efficient conduct of the audit: specific care is needed for information security due to applicable regulations
on protection of data (in particular for information which lies outside the ISO 27001 audit scope, but which is also contained in the document).
While using ISO 27001 audit checklist pay attention to Sampling of Audit Evidences and artifacts
Audit sampling takes place when it is not practical or cost effective to examine all available information during an ISO 27001 audit, e.g. records are too numerous or too dispersed geographically to justify the examination of every item in the population. Audit sampling of a large population is the process of selecting less than 100 % of the items within the total available data set (population) to obtain and evaluate evidence about some characteristic of that population, in order to form a conclusion concerning the population. The objective of ISMS audit sampling is to provide information for the auditor to have confidence that the audit objectives can or will be achieved. The risk associated with sampling is that the samples may be not representative of the population from which they are selected, and thus the information security auditor’s conclusion may be biased and be different to that which would be reached if the whole population was examined. There may be other risks depending on the variability within the population to be sampled and the method chosen. Audit sampling typically involves the following steps:
— establishing the objectives of the sampling plan;
— selecting the extent and composition of the population to be sampled;
— selecting a sampling method;
— determining the sample size to be taken;
— conducting the sampling activity;
— compiling, evaluating, reporting and documenting results.
When sampling, consideration should be given to the quality of the available data, as sampling insufficient
and inaccurate data will not provide a useful result. The selection of an appropriate sample should be based on both the sampling method and the type of data required, e.g. to infer a particular behavior pattern or draw inferences across a population. Reporting on the sample selected could take into account the sample size, selection method and estimates made based on the sample and the confidence level.
When using ISO 27001 Compliance checklist ISO 27001 Auditor can use either judgement-based sampling or statistical sampling.
Judgement-based sampling for ISO 27001 audit
Judgement-based sampling relies on the knowledge, skills and experience of the information security audit team. For judgement-based sampling, the following can be considered:
— previous audit experience within the ISO 27001 audit scope;
— complexity of requirements (including legal requirements) to achieve the objectives of the audit;
— complexity and interaction of the organization’s processes and management system elements;
— degree of change in technology, human factor or management system;
— previously identified key Information Security risk areas and areas of improvement;
— output from monitoring of information security management systems.
A drawback to judgement-based sampling is that there can be no statistical estimate of the effect of uncertainty in the findings of the audit and the conclusions reached.
Statistical sampling for conduct of ISO 27001 audit
If the decision is made to use statistical sampling, the sampling plan should be based on the audit objectives and what is known about the characteristics of overall population from which the samples are to be taken.
— Statistical sampling design uses a sample selection process based on probability theory. Attribute-based sampling is used when there are only two possible sample outcomes for each sample (e.g. correct/incorrect or pass/fail). Variable-based sampling is used when the sample outcomes occur in a continuous range.
— The sampling plan should take into account whether the outcomes being examined are likely to be
attribute-based or variable-based. When examining the occurrence of the number of security breaches, a variable-based approach would likely be more appropriate. The key elements that will affect the ISO 27001 audit sampling plan are:
— the size of the organization;
— the number of competent auditors;
— the frequency of audits during the year;
— the time of individual audit;
— any externally required confidence level.
— When a statistical sampling plan is developed, the level of sampling risk that the auditor is willing to accept is an important consideration. This is often referred to as the acceptable confidence level. For example, a sampling risk of 5 % corresponds to an acceptable confidence level of 95 %. A sampling risk of 5 % means the auditor is willing to accept the risk that 5 out of 100 (or 1 in 20) of the samples examined will not reflect the actual values that would be seen if the entire population was examined.
When statistical sampling is used, auditors should appropriately document the work performed. This
should include a description of the population that was intended to be sampled, the sampling criteria used
for the evaluation (e.g. what is an acceptable sample), the statistical parameters and methods that were
utilized, the number of samples evaluated and the results obtained.
When using ISO 27001 checklist, Selecting sources of information for ISO 27001 audit
The sources of information selected can according to the scope and complexity of the audit and may include the following:
— interviews with employees and other persons;
— observations of activities and the surrounding work environment and conditions;
— documents, such as policies, objectives, plans, procedures, standards, instructions, licenses and permits, specifications, drawings, contracts and orders;
— records, such as inspection records, minutes of meetings, audit reports, records of monitoring program
and the results of measurements;
— data summaries, analyses and performance indicators;
— information on the auditee’s sampling plans and on the procedures for the control of sampling and
measurement processes;
— reports from other sources, e.g. customer feedback, external surveys and measurements, other relevant information from external parties and supplier ratings;
— databases and websites;
— simulation and modelling.
As per ISMS audit checklist Recording conformity of ISO 27001 compliance
For records of conformity, the following should be considered:
— identification of the audit criteria against which conformity is shown;
— audit evidence to support conformity;
— declaration of conformity, if applicable.
Recording nonconformity of ISO 27001 compliance
For records of nonconformity, the following should be considered:
— description of or reference to audit criteria;
— nonconformity declaration;
— audit evidence;
— related audit findings, if applicable.
Dealing with ISO 27001 findings related to multiple criteria
During an audit, it is possible to identify findings related to multiple criteria. Where an auditor identifies a
finding linked to one criterion on a combined audit, the auditor should consider the possible impact on the
corresponding or similar criteria of the other management systems. Depending on the arrangements with the audit client, the auditor may raise either:
— separate findings for each criterion; or
— a single finding, combining the references to multiple criteria.