ISO 27001 Audit Checklist: What Can You Expect?

ISO 27001 Audit Checklist What Can You Expect
Facebook
Twitter
Pinterest
LinkedIn

The full process for achieving ISO 27001 compliance is lengthy, expensive, and difficult. While you can take many steps to make it easier, faster, or cheaper, there’s only so much you can sidestep the ground-level legwork that needs to be done to succeed. Fortunately, we can help you smooth out the process.

A few weeks ago, we published a checklist for the full process to achieve ISO 27001 certification. This is a rather broad list of steps, encompassing everything from the initial reading of the ISO 27001 documentation, all the way to the remediation process when an internal or external audit finds something amiss.

Today, we’re drilling down even more specifically into the auditing process. After all, the external audit is mandatory to achieve compliance, and it’s taken very seriously by the firms that handle those audits. If you want to pass the audit, you need to take it equally seriously.

Our biggest recommendation is to perform internal audits using as close to the same standards as possible. Internal audits are cheaper, faster, and lower stakes, so in the preparatory phase, you can use them as a tool to identify holes, predict critique, locate gaps in security coverage, and remediate any issues you find.

What do you need to look into, specifically? Here’s our checklist to help you with a comprehensive review.

BLUF - Bottom Line Up Front

Achieving ISO 27001 compliance involves a complex process requiring extensive documentation and thorough audits. Internal audits, following similar standards as external ones, help pinpoint security gaps and prepare for the mandatory external audit. Key documents include a Statement of Applicability, information security policies, and risk assessment plans. Training employees and establishing clear roles are crucial. Consider using platforms like Ignyte to streamline documentation and collaboration and maintain ongoing compliance through regular internal audits.

Documents You Need

A key part of any ISO 27001 audit is a thorough review of the documentation you compile for each of the security controls and segments of your ISMS. These can range from your overall security policies to the specific plans and procedures you need to follow, all the way to your Statement of Applicability.

Documents You Need

In broad strokes, you need the following documentation:

  • Overall Statement of Applicability
  • The Scope of the ISMS
  • Your Information Security Policy
  • Documentation of Information Necessary to Support the ISMS
  • Risk Assessment Process and Methodology Documentation
  • Risk Treatment Plan
  • Your Information Security Objectives
  • Definition of Security Roles and Their Responsibilities
  • Assignment of Personnel to Those Roles
  • Evidence of Competence in Security
  • Asset Inventory
  • Acceptable Use Policy for Assets
  • Operational Planning Documentation
  • Risk Assessment Review Results
  • Evidence of Risk Treatment
  • Access Control Policies
  • Evidence of ISMS Monitoring and Tracking
  • Management Review Results
  • Evidence of Nonconformities and Corrective Actions
  • Security Incident Logs

If this is compiled for your external audit, you will also need documentation for the structure, process, and results of any internal audits; if this is for an internal audit, remember to document it for the external audit.

This list is generally comprehensive, but it’s important to remember that each item does not necessarily represent one document but rather a category of documentation. You may very well need to produce a dozen or more individual documents for each. Some things, like an asset inventory, can be one comprehensive document. Others, like management review results, may be individual packets of information for each management team member.

When in doubt, document everything and ensure those documents are stored in a known location, published as necessary, updated when relevant, and accessible to auditors.

The Statement of Applicability

Though the statement of applicability is already listed above, it’s important enough that it’s worth having its own entry.

ISO 27001’s most recent version contains 93 controls across 4 domains. This is a recategorization and simplification of the previous version of ISO 27001, which had 114 controls across 14 categories. The categories have generally been merged into Organizational, People, Physical, and Technological. Overall, 11 new controls were added, 57 controls were merged into “new” controls that encompass everything they did before, and 23 controls were renamed while remaining the same.

  • Organizational has 37 controls
  • People has 8 controls
  • Physical has 14 controls
  • Technological has 34 controls

The end result of the change from ISO 27001:2013 to ISO 27001:2022 is that there are effectively more things to pay attention to, but they aren’t fragmented as much across different categories. Overall, this helps to reduce confusion surrounding similar controls and where documentation lives for each.

For each control, you will need to conduct a risk assessment and produce a risk treatment plan. A risk treatment plan can have four possible options:

  • Treat the risk by addressing the cause and removing it as a risk.
  • Avoid the risk by identifying why it’s a risk and removing the possibility.
  • Transfer the risk by making your portion of the pipeline secure and handing over responsibility to more applicable parties.
  • Accept the risk by ensuring you have appropriate security, monitoring, and incident response plans in case the risk comes home to roost.

All of this needs to be documented, including both the risk assessment and the risk treatment.

Once you have done this, you can fill out a statement of applicability. A statement of applicability doesn’t need to be complex, and while templates exist, you don’t really need one. All you need is a spreadsheet with:

  • The numerical designation of each control.
  • The name of each control.
  • Whether or not that control is applicable to your organization.
  • If applicable, whether or not the control is implemented.
  • A description, unique to your organization, of:
    • If the control is applicable, how the control applies to your organization.
    • If the control is not applicable, your justification for why not.

Here’s an example of what a statement of applicability can look like.

The Statement of Applicability

A word of caution: be very careful about designating a control as not applicable. It is very rare that a control is truly not applicable, and listing a valid control as not applicable can be a significant cause for a failed audit. In general, if you’re in a position where numerous security controls aren’t applicable, you probably aren’t in a position where ISO 27001 is applicable either.

Compliance and Audit Process Checklist

Now, let’s walk through what you’ll need to do in a checklist form so you can ensure that you’re as compliant as possible going into an audit.

The Compliance and Audit Process Checklist

Obtain a copy of the ISO 27001:2022 standard documentation. As you might imagine, without the core documentation to reference, it’s essentially impossible to achieve compliance with ISO 27001.

Obtain ISO 27002 documentation. ISO 27002 is not itself a set of standards but is rather a companion document to go along with 27001. It serves as a resource for recommendations, best practices, and more “plain English” translations of more complex language in 27001. You don’t strictly need it, but it’s extremely helpful.

Establish documentation standards. In particular, you need:

  • Branding to ensure your documentation is identifiably yours with relevant information.
  • Versioning and version history records, usually on a cover page for each document, so you know you always have the most updated versions of each.

Modern documentation technology can insert dynamic elements for things like page numbers and certain changing information so that you don’t need to manually adjust it all every time a change is made.

Develop your roles, outline responsibilities, and assign employees. Knowing the people in charge of different domains and teams and making sure they know they’re in charge, as well as documenting all of it, is a key part of passing an ISO 27001 audit. One particular document, called the Accountability Matrix, is a key document for tracking all of this.

Special note: A key part of ISO 27001 is continuity. If an employee in one of these roles leaves the organization, you need to have processes in place to carry over role, responsibility, and accountability seamlessly in the transition. All of this needs to be documented as well.

Document your security policies. Anything that has an ISO 27001 security control attached will generally also have a written policy and documentation attached as well, which you need to create and store with your documents. Policies will include:

  • Information security policy
  • Access control policy
  • Asset management policy
  • Risk management policy
  • Information classification and handling policy
  • Information security awareness and training policies
  • Acceptable use policies
  • Clear desk/clear screen policies
  • Mobile work and telework policies
  • Backup policies
  • Malware and antivirus policies
  • Change management process policies
  • Continual improvement policies
  • Logging and monitoring policies
  • Physical security policies
  • Environmental security policies
  • Cryptographic control and encryption policies
  • Patch management policies
  • HR and other business policies, such as parental leave, grievance, and anti-bribery policies

This isn’t a comprehensive list; you will likely need to derive your policies list from your business operations, your statement of applicability, and similar.

Train employees. A huge part of ISO 27001 – and indeed, all modern cybersecurity and information security – is individual awareness and training. Technology is sometimes the weak link, but far more often, people are the vector for intrusion.

In order to be ISO 27001 compliant, you need all of your employees (or at least all who can access any relevant system, facility, or asset) to be properly trained in your policies and their responsibilities within their roles. Since there’s no easy way to validate this, you need to implement training and proof of completion of that training. This, of course, needs to be documented as well.

Developing all of this yourself is difficult, but there are many off-the-shelf training tools that incorporate both standardized training modules and the option to develop your own customized training as necessary, including products designed specifically for ISO 27001 training. Feel free to look into these at your leisure.

Perform and Record Internal Audits

A final critical element of ISO 27001 compliance is the internal audit process. Part of the external audit, in fact, is identifying and evaluating the quality of your internal audit process, and reviewing the outcome of those internal audits.

We’ve referred to the content of this post as something similar to an internal audit, but it’s more of a hybrid of internal auditing, feedback, and the full development and compliance process.

Perform and Record Internal Audits

An actual internal audit is narrower in scope because you aren’t doing all of this work each time; you’re checking that the work has been maintained, that updates are made where and when applicable, and that if the overall operations of the company or the prevailing winds of cybersecurity change, you change with them.

Thus, it’s key that you have an internal audit plan outlined alongside a templated results document and the written reports necessary to translate those results into actionable and usable documentation. All of this is, again, part of your ISO 27001 documentation and will be reviewed in your external audit.

Remember as well that you will need a routine schedule of internal audits as part of post-certification compliance, and failure to perform those audits (or remediate their findings) is grounds for loss of certification.

Seek Help

Everything involved with ISO 27001 – and any security framework, really – is an immense amount of internal review, assessment, and critical thought, culminating in a library’s worth of documentation. Without a firm idea of what you need to do and what you need at the end of the process, it can be an incredible mess.

One of the most important things to do is make sure you have some way for team members and those in responsible roles to collaborate, and when documentation is produced, the documentation is accessible and updated conveniently. A huge roadblock many organizations encounter is the use of siloed software that either doesn’t play nice across different elements of an organization, is inaccessible to different members, or is simply impossible to use for easy collaboration.

Seek Help

Addressing this issue is why we developed the Ignyte Platform. Our platform serves as a hub and documentation center, among many other things, for a wide range of different security frameworks, including ISO 27001. If you’re interested in using it to streamline your documentation and review or simply want to know what we can do for you, feel free to drop us a line or book a demo today.

If you have any questions about anything we went over in this article, we’d be more than happy to help you out, as well! Feel free to let us know about all your questions, and we’ll do our best to get back to you with answers as soon as we can!

Stay up to date with everything Ignyte