Checklist for an information security audit
| Sieuwert van Otterloo |
Several participants of our information security training course have asked us for an audit plan checklist. In this article we share our checklist based on the official IRCA/CQI guidelines. The checklist is applicable to both internal and external audits. It was designed for ISO 27001 audits but can also be used for other ISO standards.
Required elements for an audit plan
The following elements must be included in any audit plan in order to conduct a well planned audit:
- Audit objective: The objective can be to check compliance with the organisation’s own requirements, ISO 27001, compliance with contractual agreements, and/or compliance with legal obligations such as the GDPR.
- Scope: It should be clear which activities are in scope, which organisation /departments (e.g. suppliers) at which locations. It is of course possible to take the entire organisation in scope, but make sure that it is clear what is meant by ‘the entire organisation’ since some company groups have a complicated structure.
- Criteria and relevant documents: The criteria can be a norm such as ISO 27001. Make sure to include a specific reference since many norms have different versions or variants (e.g. ISO 27001:2013).
- Locations: To avoid logistical issues and to make sure audit effort is estimated correctly, make clear which locations will be visited during the audit.
- Dates: It must be clear when exactly the audit will be conducted and what the total effort for the audit is.
- Team: The audit team must be objective, impartial, and have the required skills and expertise to conduct the audit. It must be clear what the role is of each person in the team (e.g. auditor, lead auditor, or observer).
You must share the plan in advance with the auditee representative. This way the auditee can make staff available and prepare. Planning in advance is actually a ISO 27001 control: Control number A.12.7.1 states that audit activities must be carefully planned and agreed to minimise business disruption.
Audit scope for ISO 27001 audits
One of the ISO 27001 requirements is to have an internal audit programme to check all the ISO 27001 requirements. Audits must be scheduled at planned intervals. Typically, there are multiple audits per year (e.g. each quarter) and each audit covers part of the ISO 27001 main requirements and several chapters of the ISO 27002 controls. The scope is, therefore, part of the following list:
- Ch4 Context of the organisation (see this article for explanation of the ISO 27001 chapters)
- Ch5 Leadership
- Ch6 Planning
- Ch7 Support
- Ch8 Operation
- Ch9 Performance evaluation
- Ch10 Improvement
- A5 Information security policies (see this article for explanation of all ISO 27001 controls)
- A6 Organisation of information security
- A7 Human resource security
- A 17
- A18 Compliance
For each audit, one can either do all or some of these topics, for all or some locations, and for all or some departments. The main requirement is that all of the audits should together cover the entire scope of the Information Security Management System.
If you would like more information about audit planning and ISO 27001, don’t hesitate to attend a training course, join our LinkedIn discussion group Information Security NL, or check some of our other articles on security or privacy.
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.