Posts Tagged ‘ISO 27001 audit checklist’

If you are planning your ISO 27001 internal audit for the first time, you are probably puzzled by the complexity of the standard and what you should check out during the audit. So, you are looking for some kind of ISO 27001 Audit Checklist to help you with this task.

ISO 27001 Audit Checklist

Although they are helpful to an extent, there is no universal checklist that can fit your company needs perfectly, because every company is very different. However, you can create your own basic ISO 27001 audit checklist, customised to your organisation, without too much trouble.

Some Basics Steps in the ISO 27001 Internal Audit

1. Document review
In this step, you have to read ISO 27001 Documentation. You will need to understand processes in the ISMS, and find out if there are non-conformities in the documentation with regard to ISO 27001

2. Create the checklist
You make a checklist based on document review. i.e., read about the specific requirements of the policies, procedures and plans written in the ISO 27001 documentation and write them down so that you can check them during the main audit

3. Planning the main audit
Since there will be many things you need to check out, you should plan which departments and/or locations to visit and when – and your checklist will give you an idea on where to focus the most.

4. Performing the main audit
The main audit is very practical. You have to walk around the company and talk to employees, check the computers and other equipment, observe physical security, etc. Your previously prepared ISO 27001 audit checklist now proves it’s worth – if this is vague, shallow, and incomplete, it is probable that you will forget to check many key things. And you will need to take detailed notes.

5. Reporting
Once you finish your main audit, Summarize all the non-conformities and write the internal audit report. With the checklist and the detailed notes, a precise report should not be too difficult to write. From this report, corrective actions should be easy to record according to the documented corrective action procedure.

6. Follow up
It’s the internal auditor’s job to check whether all the corrective actions identified during the internal audit are addressed. Your checklist and notes can be very useful here to remind you of the reasons why you raised nonconformity in the first place. The internal auditor’s job is only finished when these are rectified and closed

What to include in your ISO 27001 Audit Checklist

Normally, the checklist for internal audit would contain 4 columns:

Reference – e.g. the clause number, section number of a policy, within the standard.

What to look for – what to examine, monitor, etc., during the main audit – whom to speak to, which questions to ask, records to look for, facilities to visit, equipment to check, etc.

Compliance – Simply, has the company has complied with the requirement?

Findings – Details of what you have found during the main audit – names of persons you spoke to, quotes of what they said, IDs and content of records you examined, description of facilities you visited, observations about the equipment you checked, etc.

So, the internal audit of ISO 27001, based on an ISO 27001 audit checklist, is not that difficult – it is rather straightforward: you need to follow what is required in the standard and what is required in the documentation, finding out whether staff are complying with the procedures.

With a good ISO 27001 audit checklist, your task will certainly be a lot easier.

Advertisements

Arguably one of the most difficult elements of achieving ISO 27001 certification is providing the documentation for the information security management system (ISMS). The ISO 27001 documentation that is required to create a conforming system, particularly in more complex businesses, can sometimes be up to a thousand pages.

The key sections of ISO 27001 set out a range of documents requirements for developing, implementing and maintaining Information Security Management System.

Requirements of Documents for ISO 27001 Certification:

ISO 27001:2013 documents

  1. ISMS Manual:

    The ISO 27001 manual is a mandatory document for ISO 27001 Certification, which maintains information security management system in organization. This is a roof document for ISMS, and it usually includes the ISMS scope, role(s) undertaken by the organization, exclusions from the standard, references to relevant documents, and the business process model.

  2. ISO 27001 Procedures:

    ISO 27001 procedures documents required as necessary for effective planning, operation, control and monitoring of realization processes improvements. Mandatory procedures cover all the clause requirements to follow while implementation of Information Security Management System for preparing and maintaining medical devices.

  3. Standard Operating Procedures:

    ISO 27001 SOPs documents covers sample copy of work instructions to link with significant aspects issues in the organization. It takes care of all such issues and used as a training guide as well as to establish control and make system in the organization. It defines various processes and provides quick and easy answers to common Standard Operating Procedures (SOP) questions.

  4. Process Flow Charts:

    It covers guideline for processes, process model. It covers process flow chart activities of all the main and critical processes with input – output matrix for manufacturing organization. It helps any organization in process mapping as well as preparing process documents for own organization.

  5. ISO 27001 Policies:

    ISO 27001:2013 Policy is to define the purpose, direction, principles and basic rules for information security management. It covers guideline for controls applied as per ISO 27001:2013 Certification guidelines. The policy document templates are provided to frame the information security controls

  6. ISO 27001 Formats :

    ISO 27001 formats documents designed and required to maintain records as well as establish control and make system in the organization.

  7. ISO 27001 Audit Checklists:

    ISO 27001 audit checklist documents audit questions based on ISO 27001:2013 requirements as well as for Clause wise questions and department wise question. It will be very good tool for the auditors to make audit Questionnaire / clause wise audit Questionnaire while auditing and make effectiveness

Containing every document template you could possibly need (both mandatory and optional), as well as additional work instructions, project tools and documentation structure guidance, the ISO 27001:2013 Documentation Toolkit really is the most comprehensive option on the market for completing your documentation.