Internal Audit Checklist

Has the organization determined external/internal issues, interested parties and the ISMS scope?

What an auditor expects: Clauses 4.1 to 4.3 require a documented context analysis, a stakeholder register with their requirements, and an approved ISMS scope statement that defines boundaries and exclusions.

Typical evidence: Context analysis document, stakeholder register, signed ISMS scope statement.

Is top management demonstrably committed and is the information security policy approved and communicated?

What an auditor expects: Clause 5.1 to 5.3 expect evidence of leadership commitment (objectives, resources, management reviews) plus an approved, communicated security policy with assigned roles and responsibilities.

Typical evidence: Signed policy, management review minutes, RACI / role descriptions.

Is there a documented risk assessment methodology, a current risk register and a risk treatment plan?

What an auditor expects: Clauses 6.1.2 and 6.1.3 require a repeatable methodology, a maintained risk register linked to assets/threats/vulnerabilities, and treatment decisions traceable to Annex A controls and the SoA.

Typical evidence: Risk methodology, risk register, risk treatment plan, Statement of Applicability.

Are measurable security objectives defined, planned and monitored at relevant functions and levels?

What an auditor expects: Clause 6.2 requires SMART security objectives tied to the policy, with owners, target dates, resources and a method to monitor progress.

Typical evidence: Objectives register, KPI dashboard, evidence of monitoring.

Do staff receive role-based security training and is competence evidence retained?

What an auditor expects: Clauses 7.2/7.3 and Annex A.6.3 require staff competence, role-based awareness training (including ISMS policies relevant to them), phishing simulations and retained training records.

Typical evidence: Training plan, completion records, phishing simulation reports.

Is ISMS documentation controlled (versioning, approval, access and retention)?

What an auditor expects: Clause 7.5 requires identification, format, review/approval, distribution control, access control, retention and disposition of all ISMS documents and records.

Typical evidence: Document control procedure, master document list, version history.

Are security controls operating consistently and are changes/outsourced processes controlled?

What an auditor expects: Clause 8.1 to 8.3 require planning, implementing and controlling processes (including change control and outsourced processes), with documented information to demonstrate they run as planned.

Typical evidence: Change records, control operation logs, supplier oversight records.

Is least-privilege enforced, with MFA, joiner/mover/leaver and periodic access reviews?

What an auditor expects: These Annex A controls require an access policy, formal user registration/de-registration, privileged access management, MFA on key systems and periodic reviews of access rights.

Typical evidence: Access policy, JML tickets, access review reports, MFA coverage report.

Are security events logged centrally, protected from tampering and monitored for anomalies?

What an auditor expects: Annex A.8.15 to A.8.17 require event logging on key systems, protection of log information, monitoring activities and clock synchronisation across systems.

Typical evidence: SIEM/log retention policy, sample alerts, clock sync configuration.

Is there a tested incident response plan with classification, reporting and post-incident review?

What an auditor expects: Annex A.5.24 to A.5.28 require planning, reporting, assessing, responding to and learning from information security incidents, including evidence collection.

Typical evidence: Incident response plan, incident tickets, post-incident review notes.

Are backups, ICT continuity and redundancy tested against defined RTO/RPO?

What an auditor expects: These controls require continuity planning, ICT readiness, redundancy of facilities, backups taken/protected and regularly tested against documented RTO/RPO.

Typical evidence: BCP/DRP, backup logs, restore-test evidence, RTO/RPO register.

Are suppliers (incl. cloud) inventoried, contractually bound to security and monitored?

What an auditor expects: Annex A.5.19 to A.5.23 require a supplier inventory, security clauses in agreements, monitoring and review of supplier services, and specific controls for cloud services.

Typical evidence: Supplier inventory, due-diligence assessments, contract clauses, cloud security review.

Are ISMS performance and control effectiveness measured against defined metrics?

What an auditor expects: Clause 9.1 requires the organisation to determine what needs to be monitored, the methods, when and by whom, and to retain the results as evidence.

Typical evidence: KPI register, measurement results, monitoring reports.

Is there a planned internal audit programme with independent auditors and tracked findings?

What an auditor expects: Clause 9.2 requires a documented audit programme covering all ISMS requirements over a planned cycle, with independent auditors, defined criteria/scope and reported findings tracked to closure.

Typical evidence: Audit programme, audit plans, audit reports, finding tracker.

Does top management formally review the ISMS at planned intervals with documented inputs and outputs?

What an auditor expects: Clause 9.3 requires documented management reviews covering policy/objectives, audit results, nonconformities, risks, opportunities and resource needs, with documented decisions and actions.

Typical evidence: Management review minutes, action log, attendance list.

Are nonconformities tracked with root-cause analysis, corrective action and effectiveness checks?

What an auditor expects: Clause 10.1 to 10.2 require reacting to nonconformities, evaluating the need for action to eliminate causes, implementing corrective actions and reviewing their effectiveness.

Typical evidence: NC register, root-cause analyses, corrective action records, effectiveness reviews.