Internal Audit Checklist | www.compleye.

io

Internal Audit Checklist

A. Name of the internal auditor add name
Date of assessment add date

B. Documentation
Internal audit procedure Created / Reviewed and uploaded in section policies & procedures
Internal auditor role description Created / Reviewed and uploaded in section policies & procedures
Final report Final Internal Audit report uploaded in section Internal Audit
Findings documented Findings copied in sections Internal Audit
Improvements Improvements created for each finding - section Improvements

C. Before starting the assessment

• Mention as unapplicable controls that are excluded from the scope according to the SoA
• If an Information Security Risk Assessment and/or external audit has been performed the year before, check in
Compleye Online Internal Audit if all findings have been addressed and improvements have been closed.
D. Performing the assessment
• Include links to evidence from Compleye Online and/or from other sources in the "Evidence" column
• If evidence is not sufficient, fill in the "Topics for invesigation" column with questions and/or remarks
Review findings from previous internal and external audits to determine if improvements have been addressed
and are effective:
• If improvements have been implemented and are effective, notify that the improvement is closed
• If the improvement has not been implemented, notify this in the "Topics for investigation" column
• When all criteria have been reviewed, schedule an investigation meeting with the ISMS team members
• Provide them with the assessment before the investigation meeting so they can already review questions and
remarks and give answers/information in the "Investigation notes" column
E. Investigation meeting
Date of investigation meeting add date & people attending
• During the investigation meeting, review all questions and remarks of the "Topics for investigation" column.
• You can close findings for which the ISMS team can provide sufficient evidence of implementation.
• Concerning findings for which there is no evidence of implementation, classify the finding as non-conformity or
concern according to the classification defined in the Internal Audit procedure. If possible, define improvements
with the team for these findings.
F. Final report
• After the findings have been finalized and classified, you can list them in the final report together with the
• Once the final report is finalized, you can send it to the ISMS team and management for approval

Page 1 of 13
 Internal Audit Checklist | www.compleye.io

Disclaimer: this template provides guidelines on how to perform an Internal audit assessment Ch4-10. The criteria listed below are suggestions based on what evidence can be found in Compleye Online - you can add the link to specific section in Compleye Online. If you store evidence in other tooling you can refer to. It
is possible for each organization to define new criteria adjusted to the organization's context and their own requirements as defined in their policies and procedures.
Results Internal Audit - Ch 4-10

Chapter Norm Description Criteria Links to evidence Topics for investigation Investigation Notes Classification of Finding (after
Investigation)
Non-conformity Opportunity for
improvement
4. Context of the 4.1 Organization The organization shall determine external and internal issues that are relevant to its Check in Compleye Online Strategy and Ambition section if the following
Organization and context purpose and that affect its ability to achieve the intended outcome(s) of its information evidence/information was provided : Company, Product, Customer & Third Parties
security management system. and Compliance Challenge.
Check in the latest Management Review if the following topics were addressed:
Change in external and internal topics that are relevant to the ISMS, Feedback
from Stakeholders that concerns the availability, integrity and retransmission of
information
As per above, check if the information provided is not older then 1 year old.
4.2 Interested Final Internal Audit report uploaded in section Internal Audit Check in Compleye Online Interested Parties & Legal Requirements whether the
parties and their stakeholders and (legal) requirements were defined.
Requirements As per above, check if this overview is not older than 1 year.
Check in Compleye Online if the information in the Global Impact
customers/projects was defined.

As per above, if this information is available check if this information is not older
than one year and approved.
4.3 Scope of ISMS The organization shall determine the boundaries and applicability of the information Check in Compleye Online ISO Certification or Strategy & Context sections if the
security management system to establish its scope. When determining this scope, the ISMS scope was defined and documented.
organization shall consider: a. the external and internal issues referred to in 4.1, b. the As per above, check if the review of the scope is not older than 1 year .
requirements referred to in 4.2 c. interfaces and dependencies between activities
performed by the organization, and those that are performed by other organization. The
scope shall be available as documented information.
4.4 ISMS The management shall establish, implement, maintain and continually improve an Check the Improvement section and verify whether the improvements have the
information security management system, in accordance with the requirements of this assigned owner and are addressed within the established deadlines.
International Standard. Check if the improvements are included in the Management Review document.
5. Leadership 5.1 Leadership and Top Management shall demonstrate leadership and commitment with respect to the Check if the Security Policy and supporting Security Procedures were documented
Commitment information security management system by: and the final approved PDF version saved in Compleye Online Security Policies and
a)Ensuring the information security policy and the information security objectives are Procedures section.
established and are compatible with the strategic direction of the organization. Check in Compleye Online section Strategy & Ambition section if the security
b)Ensuring the integration of the information security management system requirements objectives were defined.
into the organization’s processes.
c)Ensuring the integration of the information security management system requirements Check if the Security Awareness Training refers to the security management
into the organization’s processes. procedures and was delivered in the last twelve months.
d)Ensuring that the resources needed for the information security management system
are available
e)Communicating the importance of effective information security management and of
conforming to the information security management system requirements
f)Ensuring that the information security management system achieves its intended
outcomes
g)Directing and supporting persons to contribute to the effectiveness of the information
security management system
h)Promoting continual improvement
5.2 Policy i)Supporting
Top othershall
management relevant managements
establish roles to
an information demonstrate
security their leadership as it
policy that: Check if the Security Policy and supporting Security Procedures were documented
and the final approved PDF version saved in Compleye Online Security Policies and
a) is appropriate to the purpose of the organization; Procedures section.
b) includes information security objectives (see 6.2) or provides the framework for setting Check if the policies and procedures were reviewed less than a year ago.
information security objectives; Check if the relevant security metrics were defined in Compleye Online and
c) includes a commitment to satisfy applicable requirements related to information owners are assigned to each metric
security; and Is the CTO involved in the Risk Assessments such as ISRA, High Risk Supplier
d) includes a commitment to continual improvement of the information security Assessment.
management system. Check if the ISMS team members were involved in defining the improvements
e) be available as documented information; during the management review by veryifying if they were present in the
f) be communicated within the organization; evaluation meeting?
g) be available to interested parties, as appropriate. Check if the Security Policy is given to new employees as part of the onboarding
process.
Check in information Security Communication Policy - if and how the security
policy is made available to interested parties. (e.g. customers)
5.3 Roles and Top Management shall ensure that the responsibilities and authorities for roles relevant to Check if the ISMS Roles were established and the ISMS competencies reviewed and
Responsibilities information security are assigned and communicated. Top management shall assign the approved by the CEO.
responsibilities and authority for: Check if the ISMS competencies are reviewed and assigned on the annual basis.
a)Ensuring that the information security management system confirms to the Check if the selected competencies for each role are reflected in the job
requirements of this International Standards, and descriptions.
b)Reporting on the performance of the information security management system to top Check if the Security Awareness Training introduced the ISMS team members.
management. Check if the Security Awareness Training is provided to the new team members.
Documented in HR Policy - and a control in place to check on the awareness
training for new team members.

6.Planning 6,1 Actions to address risks and opportunities

6.1.1 General When planning for the information security management system, the organization shall Check in Compleye Online Interested parties and legal requirements section if the
consider the issues referred to in 4.1 and the requirements referred to in 4.2 and ISMS reference field is filled in to evidence how the requirements are addressed in
determine the risks and opportunities that need to be addressed to: the organization's ISMS.
a) ensure the information security management system can achieve its intended Check if there is an X-Ray in place and if the X Ray is reviewed on a regular basis
outcome(s); and any changes are taken into consideration.
b) prevent, or reduce, undesired effects; and
c) achieve continual improvement.
The organization shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement the actions into its information security management system
6.1.2 Information processes. and
The organization shall define and apply an information security risk assessment process Check if the following risks assessments have taken place on a yearly basis:
Security Risk that: a) establishes and maintains information security risk criteria that include:1) the ISRA
Assessment. risk acceptance criteria; and2) criteria for performing information security risk Supplier Assessment
assessments) ensures that repeated information security risk assessments produce BCP
consistent, valid and comparable results; identifies the information security risks:1)
apply the information security risk assessment process to identify risks associated with the
loss of confidentiality, integrity and availability for information within the scope of the
information security management system; and2) identify the risk owners;d) analyses the
information security risks:1) assess the potential consequences that would result if the
risks identified in 6.1.2 c) 1) were to materialize;2) assess the realistic likelihood of the Page 2 of 13
occurrence of the risks identified in 6.1.2 c) 1); and3) determine the levels of risk;e)
evaluates the information security risks:1) compare the results of risk analysis with the
risk criteria established in 6.1.2 a); and2) prioritize the analyzed risks for risk treatment.
The organization shall retain documented information about the information
 Internal Audit Checklist | www.compleye.io
6.1.2 Information The organization shall define and apply an information security risk assessment process
Security Risk that: a) establishes and maintains information security risk criteria that include:1) the
Assessment. risk acceptance criteria; and2) criteria for performing information security risk
assessments) ensures that repeated information security risk assessments produce
consistent, valid and comparable results; identifies the information security risks:1) DRP
apply the information security risk assessment process to identify risks associated with the GDPR Assessment
loss of confidentiality, integrity and availability for information within the scope of the Check if there are compliance assessments of potential customers and if the
information security management system; and2) identify the risk owners;d) analyses the results of those have led to improvements that are recorded in the Improvement
information security risks:1) assess the potential consequences that would result if the section. If there are no customer Assessment, check if commercial contracts with
risks identified in 6.1.2 c) 1) were to materialize;2) assess the realistic likelihood of the customers comply with the organization's general SLA / T&C documented in the
occurrence of the risks identified in 6.1.2 c) 1); and3) determine the levels of risk;e) legal section (sample check).
evaluates the information security risks:1) compare the results of risk analysis with the Check if all assessment are being evaluated by ISMS Team and approved by MT.
risk criteria established in 6.1.2 a); and2) prioritize the analyzed risks for risk treatment. Check if the defined improvements are subject to check on effectiveness - by
The organization shall retain documented information about the information checking 3 random improvements cards that are closed and effectiveness is
security risk assessment process. reported on the cards
Check in latest Management Review if the effectiveness of the entire ISMS system
is covered.
6.1.3 Information The organization shall define and apply an information security risk treatment process to: Check if the risk treatment procedure includes the selection of risk treatment
security risk a) select appropriate information security risk treatment options, taking account of options, depending on the results of the risk assessment
treatment the risk assessment results;b) determine all controls that are necessary to implement the Check if Compleye Online measures and controls section includes the defined
information security risk treatment option(s) chosen; NOTE Organizations can design controls together with the assigned monitoring frequency and owner.
controls as required, or identify them from any source.c) compare the controls Check if the individuals measures and controls were addressed at the planned
determined in 6.1.3 b) above with those in Annex A and verify that no necessary intervals.
controls have been omitted; NOTE 1 Annex A contains a comprehensive list of control Check if the Statement of Applicability was issued.
objectives and controls. Users of this International Standard are directed to Annex A to Check if the controls that are in scope were marked as applicable.
ensure that no necessary controls are overlooked. NOTE 2 Control objectives are implicitly Check if the justification for controls exclusion were included in the Statement of
included in the controls chosen. The control objectives and controls listed in Annex A are Applicability.
not exhaustive and additional control objectives and controls may be needed.d) produce
a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and
justification for inclusions, whether they are implemented or not, and the justification for
exclusions of controls from Annex A;e) formulate an information security risk treatment
plan; andf) obtain risk owners’ approval of the information security risk treatment plan
and acceptance of the residual information security risks. The organization shall retain
documented information about the information security risk treatment process.

6.2 Security The organization shall establish information security objectives at relevant functions and Check in Compleye Online section ISMS Objectives and/or Management Review, if
Objectives levels. The information security objectives shall: the objectives were defined and are measurable
a) be consistent with the information security policy; Check if the objectives are measurable as well as aligned with the security policy,
b) be measurable (if practicable); results of the risk assessment and requirements listed in the Interested parties
c) take into account applicable information security requirements, and results from risk section
assessment and risk treatment; Check in the objectives were addressed in the last Security Awareness Training.
d) be communicated; and Check if the objectives defined are not older than 1 year.
e) be updated as appropriate. Check if it was outlined how the defined security objectives will be achieved (High
The organization shall retain documented information on the information security Level): owner, deadline, what will be done and evaluation of the results
objectives. When planning how to achieve its information security objectives, the
organization shall determine:
f) what will be done;
g) what resources will be required;
h) who will be responsible;
i) when it will be completed; and
j) how the results will be evaluated.
7. Support 7.1 Resources The organization shall determine and provide the resources needed for establishment, Check if the ISMS Team was established and the respective roles and
implementation, maintaince and continual improvement of the information security responsibilities assigned.
management. Check Compleye Online Leadership and Management section whether the ISMS
competencies have been defined and assigned to ISMS team members.
Check Compleye Online Leadership and Management section whether the ISMS
competencies were reviewed in the last 12 months.
Check Compleye Online Leadership and Management section or internal
documentation whether the ISMS roles and responsibilities were reflected in the
relevant job descriptions.
7.2 Competence The organization shall: Is there an activity/control defined on Compleye Online board for checking
a)Determine the necessary competence of person(s) during work under its control that competences on a regular basis?
affects its information security performance Check if the selected competencies for each role are reflected in the job
b)Ensure that these person are competent on the basis of appropriate education, training descriptions.
or experience Check if the Security topics were addressed during the onboarding of new Team
c)Where applicable, take actions to acquire the necessary competence, and evaluate the members.
effectiveness of the actions taken; and Is Security Awareness Training an activity for all Team members? Is it documented
d)Retain appropriate documented information as evidence of competence in the HR policy or Workspace & Equipment Policy?
Check if the onboarding pack of new staff includes the information security
policy.
7.3 Awareness Persons doing work under the organization’s control shall be aware of: Check if the ISMS roles and responsibilities were documented in job descriptions.
a)The information security policy Check if the disciplinary process has been put in place. This can be verified by
b)Their contribution to the effectiveness o the information security management system, checking a. if the employment contract includes the relevant disciplinary clauses b.
including the benefits of improved information security performance, and if the security awareness training makes a reference to disciplinary process c. if the
c)The implications of not conforming with the information security management system code of conduct policy or any similar policy was implemented and specifies the
requirements. disciplinary process.
7.4 Communication The organization shall determine the need for internal and external communications Check if the Communication Policy was documented and approved by the CEO
relevant to the information security management system including: and the final approved PDF version saved in Compleye Online security policies and
a)On what to communicate procedures section.
b)When to communicate
c)With whom to communicate
d)Who shall communicate, and
e)the processes by which communicate shall be effected.
7. 5 General documentation
7.5.1 General The organization’s information security management system shall include: Check if all ISO27001 Mandatory topics (Chapters 4 to 10) are covered in
a)documented information required by this International Standard; and Compleye Online specifying how they are organized and implemented. For
b)documented information determined by the organization as being necessary for the example, using Compleye's template ISO27001 Mandatory topics.
effectiveness of the information security management system.
a. you need to document (meaning write down) how chap 4-10 is being implemented (or If labelling is in scope in the SoA, check that labels are available on documentation.
organized).
b. label all necessary documentation important for effectiveness of the ISMS with blue
label.
7.5.2 Creating and When creating and updating documented information the organization shall ensure Check in Compleye Online Security Policies and Procedures whether the PDF final
Updating appropriate: version of security policies and procedures were saved.
Documents a)Identification and description (e.g. a title, date, author, or reference number) Select a sample of Security Policies and Procedure documents to check if the title ,
b)format (e.g. language, software version, graphics) and media (e.g paper, electronic); and date and owner was adequately referenced.
c)review and approval for suitability and adequacy.

Page 3 of 13
 Internal Audit Checklist | www.compleye.io

7.5.3 Control of Documented information required by the information security management system and Check if the filling directory process (other than Compleye Online) is documented
documented by this International Standard shall be controlled to ensure: a) it is available and suitable to specify how policies and procedures are saved in a secure and protected
information. for use, where and when it is needed; and) it is adequately protected (e.g. from loss of manner.
confidentiality, improper use, or loss of integrity).For the control of documented Select a sample of Security Policies and Procedure document to check if the latest
information, the organization shall address the following activities, as applicable) version of the document was approval by the owner
distribution, access, retrieval and use;d) storage and preservation, including the Check if there is a labeling policy (check data classification policy for this) and if
preservation of legibility;e) control of changes (e.g. version control); andf) retention and this policy is implemented with labels on documentation. If controlled by access
disposition. Documented information of external origin, determined by the organization to management policy - it is out of scope.
be necessary for the planning and operation of the information security management Check in the Information Security Communication Policy if and how the
system, shall be identified as appropriate, and controlled versioning of policies and communication is documented.
8. Operation 8.1 Operations The organization shall plan, implement and control the processes needed to meet Check if the security meeting occurred on a monthly basis.
planning and control information security requirements, and to implement the actions determined in 6.1. The
organization shall also implement plans to achieve information security objectives
determined in 6.2.The organization shall keep documented information to the extent Check if the improvements were addressed and actioned at the planned intervals.
necessary to have confidence that the processes have been carried out as planned. The
organization shall control planned changes and review the consequences of unintended Check if the security controls and measures are addressed and actioned at the
changes, taking action to mitigate any adverse effects, as necessary. The organization shall planned intervals.
ensure that outsourced processes are determined and controlled.

8.2 Information The organization shall perform information security risk assessments at planned intervals Check in Compleye Online Measures and Controls section if an ISRA control has
security risk or when significant changes are proposed or occur, taking account of the criteria been included.
assessment established in 6.1.2 a).The organization shall retain documented information of the results Check if the ISRA was performed and concluded.
of the information security risk assessments. Check if the ISRA was approved.
Check if the Improvements following the ISRA performance were approved and
included in Compleye Online Improvement section.
8.3 Information The organization shall implement the information security risk treatment plan. The Check if the Improvement Procedure is in place.
security risk organization shall retain documented information of the results of the information Check if there is a treatment plan established for improvements.
treatment security risk treatment. Is evidence of the effectiveness of the treatment plan part of the improvement
evaluation?
9. Performance 9.1 Monitoring, The organization shall evaluate the information security performance and the Check if the security metrics were established together with the description and
Evaluation measurement, effectiveness of the information security management system. The organization shall acceptable level defined.
analysis and determine:a) what needs to be monitored and measured, including information security Check if the security metrices were reviewed and documented on a regular basis.
evaluation processes and controls; b) the methods for monitoring, measurement, analysis and Check if the security controls and measures are defined with the assigned owner
evaluation, as applicable, to ensure valid results; NOTE The methods selected should and frequency of review.
produce comparable and reproducible results to be considered valid.c) when the Check if the security controls and measures are addressed and actioned at the
monitoring and measuring shall be performed;d) who shall monitor and measure;e) planned intervals.
when the results from monitoring and measurement shall be analyzed and evaluated; Check if the ISRA was performed and concluded.
andf) who shall analyse and evaluate these results. The organization shall retain Check if the Improvements following the ISRA performance were approved and
appropriate documented information as evidence of the monitoring and measurement included in the Improvement section.
9.2 Internal Audit The organization shall conduct internal audits at planned intervals to provide information Check if the internal audit was conducted at planned intervals (annual basis).
on whether the information security management system: a) conforms to1) the
organization’s own requirements for its information security management system; and2) Check if the last internal audit was performed by someone who is not part of the
the requirements of this International Standard;b) is effectively implemented and ISMS team and whose competence to perform the internal audit can be verified.
maintained. The organization shall:c) plan, establish, implement and maintain an audit
programme(s), including the frequency, methods, responsibilities, planning requirements Check if the last Internal Audit considered the last audit results, if applicable.
and reporting. The audit programme(s) shall take into consideration the importance of the Check if the Internal Audit report following the last internal audit conclusion was
processes concerned and the results of previous audits;d) define the audit criteria and submitted to the Management and ISMS Team for review and approval.
scope for each audit;e) select auditors and conduct audits that ensure objectivity and Check if the meeting with Management and/or ISMS Team occurred following the
the impartiality of the audit process;f) ensure that the results of the audits are reported last internal audit meeting to evaluate the results and define the improvements.
to relevant management; andg) retain documented information as evidence of the audit
9.3 Management Top Management shall review the organization's information security management system Check if Management Review Document was issued.
Review at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The
management review shall include consideration of:a) the status of actions from previous
management reviews) changes in external and internal issues that are relevant to the Is the management review performed on time and not older than 1 year?
information security management systemics) feedback on the information security Check if the management decisions were defined and approved.
performance, including trends in:1) nonconformities and corrective actions;2) Check if the 13 compulsory topics of the management review report in Compleye
monitoring and measurement results;3) audit results; an4) fulfilment of information Online have been covered.
security objectives;d) feedback from interested parties;e) results of risk assessment and Check that the improvements decided during the management review have been
status of risk treatment plan; andf) opportunities for continual improvement. The added to the Improvement section
outputs of the management review shall include decisions related to continual
improvement opportunities and any needs for changes to the information security
management system. The organization shall retain documented information as evidence of
10 Improvement 10.1 Nonconformity 10.1 Nonconformity and corrective action When a nonconformity occurs, the Check if you are able to find the origin of the improvement (e.g. specific
and corrective organization shall:a) react to the nonconformity, and as applicable:1) take action to assessment, audit or other wise)
actions control and correct it; and2) deal with the consequences;b) evaluate the need for Check if the root cause, if other areas might be affected and if treatment plan are
action to eliminate the causes of nonconformity, in order that it does not recur or occur in place for each improvement
elsewhere, by:1) reviewing the nonconformity;2) determining the causes of the Check if owners are assigned and if deadlines and progress are tracked
nonconformity; and3) determining if similar nonconformities exist, or could potentially Check if evidence has been provided before the improvement is closed and if the
occur;c) implement any action needed;d) review the effectiveness of any corrective results have been evaluated by an ISMS team member different from the owner of
action taken; ande) make changes to the information security management system, if the improvement
necessary. Corrective actions shall be appropriate to the effects of the nonconformities check if the effectiveness of the result has been determined in the evaluation of
encountered. The organization shall retain documented information as evidence of:f) the the improvement
nature of the nonconformities and any subsequent actions taken, andg) the results of check if there is an incident procedure in place, with a CAPA procedure
any corrective action. check if there is a control in place that checks if the Preventive Actions are being
monitored.
10.2 Continual The organization shall continually improve the suitability, adequacy and effectiveness of Check if the security meetings occurred on a monthly basis and if the
Improvement the information security management system. improvements were discussed and addressed.

Page 4 of 13
 Internal Audit Checklist | www.compleye.io

Disclaimer: this template provides guidelines on how to perform an Internal audit assessment. The criteria listed below are suggestions based on what evidence can be found in Compleye Online - you can add the link to specific section in Compleye Online. If you store evidence in other tooling you can refer
to. It is possible for each organization to define new criteria adjusted to the organization's context and their own requirements as defined in their policies and procedures.

Results Internal Audit- Annex A

Chapter Norm Description Criteria Links to evidence Topics for investigation Investigation Notes Classification of Finding (after Investigation)

Non-conformity Opportunity for

improvement
A.5 Information security policies A.5.1 Management direction for information security
A.5.1.1 Created / Reviewed Control Check if the Security Policy and supporting Security
and uploadee in A set of policies for information security shall Procedures are defined and the final approved PDF
section policies & be defined, approved by management, version saved in Compleye Online Security Policies
procedures published and communicated to employees and and Procedures section.
relevant external parties. Check if the security policy and security procedures
were provided to the Staff as part of Security
Awareness Training.

Check if the Security Policy is provided to new staff

as part of the onboarding process.
Check in information Security Communication Policy
- if and how the security policy is made available to
interested parties. (e.g. customers)
Improveme Improvements Control Check if the security policy and security procedures
nts created for each The policies for information security shall be were reviewed at the planned intervals and if the
finding - section reviewed at planned intervals or if significant changes together with the approval are documented
Improvements changes occur to ensure their continuing in the policy/procedure documents and/or in
suitability, adequacy and effectiveness. Compleye Online.

A.6 Organization of information A.6.1 Internal organization

security A.6.1.1 Information security Control Check if the ISMS team was established and their
roles and All information security responsibilities shall be roles and responsibilities documented in the relevant
responsibilities defined and allocated. jobs descriptions.

A.6.1.2 • If an Information Control Check if the ISMS assigned roles could pose potential
Security Risk Conflicting duties and areas of responsibility conflict of interest.
Assessment and/or shall be segregated to reduce opportunities for
external audit has unauthorized or unintentional modification or
been performed the misuse of the organization’s assets.
year before, check in
Compleye Online
Internal Audit if all
findings have been
addressed and
improvements have
been closed.
A.6.1.3 Contact with Control Check if the DPO/Privacy Officer job
authorities Appropriate contacts with relevant authorities profile/description - as contact person for
shall be maintained. supervisory authorities is assigned.
A.6.1.4 Contact with special Control Check if the special interest groups together with
interest groups Appropriate contacts with special interest the contact details were listed in Compleye Online
groups or other specialist security forums and Legal or Strategy & Ambition sections.
professional associations shall be maintained.
A.6.1.5 Information security Control Check if the Information Security aspects are
in project Information security shall be addressed in included in the project procedure.
management project management, regardless of the type of
the project.
A.6.2 Mobile devices and teleworking
A.6.2.1 Mobile device policy Control Check if the security measures concerning Mobile
A policy and supporting security measures shall device use are listed in the Workspace & Equipment
be adopted to manage the risks introduced by Check if the security measures concerning Mobile
using mobile devices. device were addressed during the last Security
Awareness training.
A.6.2.2 Teleworking Control Check if the security measures concerning remote
A policy and supporting security measures shall working are listed in the Workspace & Equipment
be implemented to protect information Check if the security measures concerning remote
accessed, processed or stored at teleworking working were addressed during the last Security
sites. Awareness training.
If the organization is a full remote working company,
check if there is a specific policy establishing rules for
remote working.
A.7 Human resource security A.7.1 Prior to employment
A.7.1.1 Screening Control Check if the Team Member Off/On Boarding
Background verification checks on all Procedures were established and documented.
candidates for employment shall be carried out Check if the employment screening is in place and if
in accordance with relevant laws, regulations the process was documented.
and ethics and shall be proportional to the
business requirements, the classification of the
information to be accessed and the perceived
risks.
A.7.1.2 Terms and conditions Control Check if the employment contract include the
of employment The contractual agreements with employees references to responsibilities for information
and contractors shall state their and the security.
organization’s responsibilities for information
security.
A.7.2 During employment
A.7.2.1 Management Control Check if the information security policies and
responsibilities. Management shall require all employees and relevant procedures are provided to new staff as
contractors to apply information security in part of the onboarding process.
accordance with the established policies and
procedures of the organization.

Page 5 of 13
 Internal Audit Checklist | www.compleye.io
A.7.2.1 Management Control
responsibilities. Management shall require all employees and
contractors to apply information security in
accordance with the established policies and Check if the information security policies and
procedures of the organization. procedures are provided to participants as part of
the security awareness training.
A.7.2.2 Information security Control Check if the information security policies procedures
awareness, education All employees of the organization and, where were addressed during the last security awareness
and training relevant, contractors shall receive appropriate training.
awareness education and training and regular
updates in organizational policies and
procedures, as relevant for their job function.
A.7.2.3 Disciplinary process Control Check if the disciplinary process is in place. This
There shall be a formal and communicated should be referenced in the employment contract
disciplinary process in place to take action and/or Code of Conduct Policy/employee
against employees who have committed an Was the Code of Conduct Policy or employee
information security breach. handbook documented and PDF version of the
approved document saved in Compleye Online
Security Policies and Procedures section.
Check if the Security Awareness Training refers to
the disciplinary process.
Check if the results of the security awareness
A.7.3 Termination and change of employment
A.7.3.1 Termination or Control Check if the employment contract makes a reference
change Information security responsibilities and duties to the post termination clauses regarding the
of employment that remain valid after termination or change information securities related responsibilities.
respon- of employment shall be defined, communicated
sibilities to the employee or contractor and enforced.

A.8 Asset management A.8.1 Responsibility for assets

A.8.1.1 Inventory of assets Control Check if devices and equipment used to process
Assets associated with information and data are listed in Compleye Online asset register.
information processing facilities shall be
identified and an inventory of these assets shall
be drawn up and maintained.
A.8.1.2 Ownership of assets Control As per above check if the listed assets have the
Assets maintained in the inventory shall be assigned owners.
owned.
A.8.1.3 Acceptable use of Control Check if the rules of handling assets are defined in
assets Rules for the acceptable use of information the Workspace & Equipment Policy.
and of assets associated with information and
information processing facilities shall be
identified, documented and implemented.
A.8.1.4 Return of assets Control Check if the Team Member On/Off Boarding
All employees and external party users shall Procedures specify the equipment handed over and
return all of the organizational assets in their returned. Check if the implementation of the
possession upon termination of their On/Off Boarding Procedures is documented for
employment, contract or agreement. each employee joining or leaving the company.
A.8.2 Information classification
A.8.2.1 Classification of Control Check if the Data Classification Procedure was
information Information shall be classified in terms of legal documented and the final approved PDF version
requirements, value, criticality and sensitivity to saved in the Security Policies and Procedures section.
unauthorized disclosure or modification. Check in Compleye Online if data assets are classified
in the Data Classification section.
A.8.2.2 Labelling of Control Check if there is a labeling policy and if this policy is
information An appropriate set of procedures for implemented with labels on documentation. Check if
information labelling shall be developed and labels are correctly implemented in the Data
implemented in accordance with the Check if the Data Classification and Labelling topic is
information classification scheme adopted by addressed in the Security Awareness training.
the organization.
A.8.2.3 Handling of assets Control Check if the rules of handling assets are defined in
Procedures for handling assets shall be the Workspace & Equipment Policy.
developed and implemented in accordance
with the information classification scheme
adopted by the organization.
A.8.3 Media handling
A.8.3.1 Management of Control If applicable, Check if Workspace & Equipment
removable media Procedures shall be implemented for the Policy addresses the management of removable
management of removable media in accordance media.
with the classification scheme adopted by the
organization.
A.8.3.2 Disposal of media Control If applicable, Check if Workspace & Equipment
Media shall be disposed of securely when no Policy addresses the disposal of removable media.
longer required, using formal procedures.
A.8.3.3 Physical media Control If applicable, Check if Workspace & Equipment
transfer Media containing information shall be Policy addresses the management of physical media
protected against unauthorized access, misuse transfer.
or corruption during transportation.
A.9 Access control A.9.1 Business requirements of access control
A.9.1.1 Access control policy Control Check if an Access Management Procedure was
An access control policy shall be established, documented and the final PDF version was saved in
documented and reviewed based on business Compleye Online Security Policies and Procedures
and information security requirements. Check if the Access Management Procedure was
reviewed in the last 12 months.
Check in Compleye Online if the list of applications
and tools was listed and the access rights defined.
Check if the access overview was reviewed in line

Page 6 of 13
A.9 Access control
A.9.1.1 Access control policy Control
An access control policy shall be established,

Internal Audit Checklist | www.compleye.io

documented and reviewed based on business
and information security requirements.

Check if external parties have access to applicatiosn

or tools and if this was documented in the Access
Overview.
A.9.1.2 Access to networks Control Check if only the users who are listed in the Access
and network services Users shall only be provided with access to the Overview have access to the listed Tool/Application.
network and network services that they have This could be evidenced by requesting a sample of
been specifically authorized to use. current access rights overview to a selected
Tool/Application.
Check if there is a security control for control on
access of tools and if being performed accordingly
to described procedure
A.9.2 User access management
A.9.2.1 User registration and Control Check if the Team Member On/Off Boarding
de-registration A formal user registration and de-registration Procedures specify the creation and removal of
process shall be implemented to enable access rights. Check if the implementation of the
assignment of access rights. On/Off Boarding Procedures is documented for
each employee joining or leaving the company.
Check if if the Access Management Procedure was
documented and the final and approved PDF
version is listed in Compleye Online Security Policies
and Procedures section.
A.9.2.2 User access Control Check is the security control for Access of Tooling
provisioning A formal user access provisioning process shall and Application is in place.
be implemented to assign or revoke access
rights for all user types to all systems and
services.
A.9.2.3 Management of Control Check in Compleye Online if admin access rights are
privileged access The allocation and use of privileged access assigned for each tool/application. This includes the
rights rights shall be restricted and controlled. overview of any privileged access rights, if applicable.

A.9.2.4 Management of Control Check in the access management policy if it is

secret authentication The allocation of secret authentication defined how secret authentication information is
information of users information shall be controlled through a controlled during access process
formal management process.

A.9.2.5 Review of user access Control Check if the Team Members listed as not-active still
rights Asset owners shall review users’ access rights at have access to tools/applications as per Access
regular intervals. Overview records.
Check if the user access rights were reviewed at
planned intervals.
A.9.2.6 Removal or Control Check if there is a process of removing/adjusting
adjustment of access The access rights of all employees and external Check if removing access rights is part of the Off
rights party users to information and information Boarding checklist/process.
A.9.3 User responsibilities
A.9.3.1 Use of secret Control Check the Workspace & Equipment Policy for rules
authentication Users shall be required to follow the to secure passwords.
information organization’s practices in the use of secret Check in the security awareness training if the topic
authentication information. of user responsibility concerning secret
authentication information was covered
A.9.4 System and application access control
A.9.4.1 Read Control Check if the principles of privacy by design are
Access to information and application system implemented in policies and/or controls:
functions shall be restricted in accordance with - Implement the "need-to-know" and “need-to-do”
the access control policy. principles
- Limit the collection of personal data to the
minimum necessary for the identified purposes.
- Ensure the accuracy and quality of personal data
necessary for its processing
- Ensure the de-Identification and deletion of
personal data as soon as the original data is no
longer necessary for the identified purpose(s).
- Not retain personal data for longer than is
necessary for the purposes for which the personal
data is processed.
- Document policies, procedures and/or mechanisms
for the disposal of personal data.
- Ensure the security of personal data transmission.
- Provide the ability to return, transfer and/or
dispose of personal data in a secure manner.
A.9.4.2 Secure log-on Control Check if procedures are documented for providing
procedures Where required by the access control policy, access in a secure way (e.g. encryption of passwords)
access to systems and applications shall be
controlled by a secure log-on procedure.
A.9.4.3 Password Control Check if there is a password management system in
management system Password management systems shall be place and controlled
interactive and shall ensure quality passwords.
A.9.4.4 Use of privileged Control Check if Utility Programs are defined and if rules of
utility programs The use of utility programs that might be use are set on these programs.
capable of overriding system and application
controls shall be restricted and tightly
controlled.
A.9.4.5 Access control to Control Check if all tooling used in SDLC is listed.
program source code Access to program source code shall be Check if access to this tooling is controlled.
restricted.

A.10 Cryptography A.10.1 Cryptographic controls

A.10.1.1 Policy on the use of Control Check if the Cryptography Policy was documented
cryptographic A policy on the use of cryptographic controls and the final approved PDF version saved in
controls for protection of information shall be Compleye Online Security Policies and Procedures
developed and implemented. section.

Page 7 of 13
 Internal Audit Checklist | www.compleye.io
A.10 Cryptography

A.10.1.2 Key management Control Check if Key management process is defined in the
A policy on the use, protection and lifetime of Cryptography Policy.
cryptographic keys shall be developed and Check if the control for Key Management process
implemented through their whole lifecycle. was included in Compleye Online Security Controls
and Measures section.
As per above, check if the control was concluded at
planned intervals and the required evidence
provided.
A.11 Physical and environmental A.11.1 Secure areas
security A.11.1.1 Physical security Control Check if the policy for the secure areas was
perimeter Security perimeters shall be defined and used documented and the final approved PDF version
to protect areas that contain either sensitive or saved in Compleye Online Security Policies and
critical information and information processing Procedures section.
facilities.
A.11.1.2 Physical entry Control Check if the policy for the secure areas establishes if
controls Secure areas shall be protected by appropriate the secure areas are locked and if there is a control
entry controls to ensure that only authorized on who has access.
personnel are allowed access.
A.11.1.3 Securing offices, Control Check if there is a Physical security policy for offices
rooms and facilities Physical security for offices, rooms and facilities
shall be designed and applied.
A.11.1.4 Protecting against Control Are controls in place for natural disasters, if
external and Physical protection against natural disasters, applicable for secure areas?
environmental malicious attack or accidents shall be designed
threats and applied.

A.11.1.5 Working in secure Control Are procedures or rules in place for working in
areas Procedures for working in secure areas shall be secure areas? Are they documented?
designed and applied.
A.11.1.6 Delivery and loading Control if loading areas are applicable, are there special rules
areas Access points such as delivery and loading around physical security for delivery services? Are
areas and other points where unauthorized they documented?
persons could enter the premises shall be
controlled and, if possible, isolated from
information processing facilities to avoid
unauthorized access.
A.11.2 Equipment
A.11.2.1 Equipment siting and Control Check if the access managment policy was
protection Equipment shall be sited and protected to documented and the final approved PDF version
reduce the risks from environmental threats saved in Compleye Online Security Policies and
and hazards, and opportunities for Procedures section.
unauthorized access.
A.11.2.2 Supporting utilities Control If there are supporting utilities, eg. servers on office
Equipment shall be protected from power site, check if there are controls in place in case of
failures and other disruptions caused by power failure.
failures in supporting utilities.
A.11.2.3 Cabling security Control E.g. for office networks and servers, are there
Power and telecommunications cabling carrying measures in place to protect them from interception
data or supporting information services shall be or damage?
protected from interception, interference or
damage.
A.11.2.4 Equipment Control Is there a maintenance program in place for all
maintenance Equipment shall be correctly maintained to hardware assets?
ensure its continued availability and integrity.
A.11.2.5 Removal of assets Control Is there a procedure in place for removal of
Equipment, information or software shall not hardware? Is the implementation of the procedure
be taken off-site without prior authorization. documented (certificate for example)?
A.11.2.6 Security of Control Check if the Workspace & Equipment Policy makes a
equipment and assets Security shall be applied to off-site assets reference to the use of equipment off site.
off-premises taking into account the different risks of Check if the Security Awareness Training referred to
working outside the organization’s premises. the use of equipment offsite.
A.11.2.7 Secure disposal or Control Check if the Workspace & Equipment Policy makes a
reuse of equipment All items of equipment containing storage reference to the disposal of unused equipment.
media shall be verified to ensure that any Check if the Security Awareness Training referred to
sensitive data and licensed software has been the to the disposal of unused equipment.
removed or securely overwritten prior to
disposal or re-use.
A.11.2.8 Unattended user Control Check if the Workspace & Equipment Policy makes a
equipment Users shall ensure that unattended equipment reference to unattended
has appropriate protection. Check if the Security Awareness Training referred to
the unattended laptops/workstations/devices.
A.11.2.9 Clear desk and clear Control Check if the Workspace & Equipment Policy makes
screen policy A clear desk policy for papers and removable Check if the Security Awareness Training referred to
storage media and a clear screen policy for the Clear desk and clear screen rules.
information processing facilities shall be
adopted.

A.12 Operations security A.12.1 Operational procedures and responsibilities

A.12.1.1 Documented Control Check if procedures for operating information
operating procedures Operating procedures shall be documented processing and communications (installation and
and made available to all users who need them. configuration of systems, backup, equipment
maintenance, media handling, recovery procedures,
management of logs, monitoring procedures, etc.) are
documented and approved PDF versions saved in
Compleye Online Security Policies and Procedures.

Is there a procedure in place to monitor the system

and is the team trained for it?

Page 8 of 13
Internal Audit Checklist | www.compleye.io

A.12.1.2 Change management Control Check if the Change Management Procedure was
Changes to the organization, business documented and the final and approved PDF
processes, information processing facilities and versions saved in Compleye Online Security Policies
systems that affect information security shall Check in Compleye Online Controls section and/or
be controlled. Security Meetings whether the controls for such
changes are in place.
Check if in the change management procedure
covers the following topics: changes to SW Code,
Suppliers, Team Members, ISMS Team Members,
Access of Tooling.
Check if the SDLC covers change management in the
development process and if the implementation of
the process is documented.
A.12.1.3 Capacity Control Check if there are rules documented on data server
A.12.1.4 Separation of Control Check in Compleye Online X-Ray Component Cloud
development, testing Development, testing, and operational Environment and/or SDLC if there is a separation of
and environments shall be separated to reduce the development, testing and production environment in
operational risks of unauthorized access or changes to the place.
environments operational environment.
A.12.2 Protection from malware
A.12.2.1 Controls against Control Check if the threat Malware is part of the annual
malware Detection, prevention and recovery controls to ISRA assessment.
protect against malware shall be implemented, Check if the ISO27002 controls are documented in
combined with appropriate user awareness. the ISRA assessment.
Check the Workspace & Equipment Policy if the
controls to avoid malware on Laptops are in place.
Check if there is a Malware tool in place that detects
malware on the server.
Check if the Malware topic is covered during
Security Awareness Training.
Check if Team members are assessed on Malware
attempts (e.g. Phishing) or at least informed about
such attempts.
A.12.3 Backup
A.12.3.1 Information backup Control Check Compleye Online Cloud Server component
Backup copies of information, software and and/or Data Backup Plan whether there is a backup
system images shall be taken and tested plan in place for data servers.
regularly in accordance with an agreed backup Check if there is in Compleye Online Contracts
policy. Overview section information related to service
description, SLA with customer and whether there
are contractual agreements on data backup plans.
Check if there is a list of Vendor Assessments. If so
and if additional arrangements have been made with
customers concerning Data Backup Plans, check if
they are covered with a security control.
Check if there is a database restore/recovery plan in
place that covers the Policy and/or contractual
agreements.
Check if the database restore/recovery test have
been performed as defined.
Check if the Backup Procedure was documented
and the final and approved PDF version was saved
in the Security Policies and Procedures Rules.
A.12.4 Logging and monitoring
A.12.4.1 Event logging Control Check if the process for monitoring and storing log
Event logs recording user activities, exceptions, was documented and the final and approved PDF
faults and information security events shall be version was saved in the Security Policies and
produced, kept and regularly reviewed. Check if the events logs are analyzed on a regular
basis and if this is documented.
A.12.4.2 Protection of log Control Check if the process specifies how log information is
information Logging facilities and log information shall be protected from tampering and unauthorized access.
protected against tampering and unauthorized
access.
A.12.4.3 Administrator and Control Check in the SW Access Overview if the system
operator logs System administrator and system operator administrators are assigned.
activities shall be logged and the logs protected Check if the System Administrators use admin@
and regularly reviewed. account names.
A.12.4.4 Clock Control Check in Compleye Online if the Clock
synchronization The clocks of all relevant information synchronization is organized between different
processing systems within an organization or If the Clock Synchronization is outsourced check if
security domain shall be synchronized to a the evidence to prove this was provided.
A.12.5 Control of operational software
A.12.5.1 Installation of Control Check if there are specific rules documented for
software on Procedures shall be implemented to control the installing software on Operating Systems (e.g. your
operational systems installation of software on operational systems. own product BackEnd)

A.12.6 Technical vulnerability management

A.12.6.1 Management of Control Check if technical vulnerabilities scanning is
technical Information about technical vulnerabilities of performed at the planned intervals.
vulnerabilities information systems being used shall be
obtained in a timely fashion, the organization’s Check if the security metrics were established and
exposure to such vulnerabilities evaluated and monitor the technical related incidents.
appropriate measures taken to address the Check if the technical vulnerabilities are considered
associated risk. in ISRA.
Check if the PEN Testing was performed at the
planned intervals and the findings addressed.
A.12.6.2 Restrictions on Control Check if these rules on software installation
software installation Rules governing the installation of software by restrictions are addressed in Workspace &
users shall be established and implemented. Check if the rules on software installation
restrictions were addressed in the Security
Awareness Training.

Page 9 of 13
 Internal Audit Checklist
A.12.6.2 | www.compleye.io
Restrictions on Control
software installation Rules governing the installation of software by
users shall be established and implemented.

Are there rules on software tools to be used on the

hardware? Are they documented?
A.12.7 Information systems audit considerations
A.12.7.1 Information systems Control Check if the person responsible for operations is also
audit controls Audit requirements and activities involving involved in test or audit plans making sure there is
verification of operational systems shall be no disruption in normal operations.
carefully planned and agreed to minimize
disruptions to business processes.
A.13 Communications security A.13.1 Network security management
A.13.1.1 Network controls Control Are there controls in place to secure office network?
Networks shall be managed and controlled to If outsourced, are there agreements on how that is
protect information in systems and organized?
A.13.1.2 Security of network Control Do you have a policy around your own network? If
services Security mechanisms, service levels and outsourced is there a SLA in place?
management requirements of all network
services shall be identified and included in
network services agreements, whether these
services are provided in-house or outsourced.
A.13.1.3 Segregation in Control Did you address the segragation of network in the
networks Groups of information services, users and SLA (or did you organized it self)? E.g. the separation
information systems shall be segregated on of critical networks from the Internet and other
networks. internal, less sensitive networks.
A.13.2 Information transfer
A.13.2.1 Information transfer Control Check if the Communication Policy was documented
policies and Formal transfer policies, procedures and and the transfer of information documented in the
procedures controls shall be in place to protect the Communication Policy.
transfer of information through the use of all
types of communication facilities.
A.13.2.2 Agreements on Control Check if the contract with the key external parties
information transfer Agreements shall address the secure transfer of address the secure transfer of information (e.g.
business information between the organization DPAs in place and/or Data transfer agreements).
and external parties.
A.13.2.3 Electronic messaging Control Check if the messaging system is protected against
Information involved in electronic messaging spam/viruses/phishing, if message encryption, IP
shall be appropriately protected. address monitoring and email blocking are
implemented.
Check if the data in transit is encrypted, this should
be specified in the Cryptography procedure.

A.13.2.4 Confidentiality or Control Check if Non-Disclosure Agreements are in place

nondisclosure Requirements for confidentiality or non- and used with third parties.
agreements disclosure agreements reflecting the Check if confidentiality clauses are included in the
organization’s needs for the protection of employment/ contractor contracts and terms and
information shall be identified, regularly conditions/agreements executed with
reviewed and documented. clients/customers.
A.14 System acquisition, A.14.1 Security requirements of information systems
development and maintenance A.14.1.1 Information security Control Check if the security assessment was performed on
requirements analysis The information security related requirements all of the suppliers.
and specification shall be included in the requirements for new Check that if the organization develops/buys a new
information systems or enhancements to tool, security related requirements are taken into
existing information systems. consideration. Check if this is documented.
A.14.1.2 Securing application Control Check if the security measures applied on public
services on public Information involved in application services networks were documented.
networks passing over public networks shall be protected
from fraudulent activity, contract dispute and
unauthorized disclosure and modification.

A.14.1.3 Protecting Control Check if the encryption methods were applied and
application services Information involved in application service specified in the Cryptography Procedure
transactions transactions shall be protected to prevent
incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication
or replay.
A.14.2 Security in development and support processes
A.14.2.1 Secure development Control Check if the SDLC was documented and saved in
policy Rules for the development of software and Compleye Online SLDC Documentation.
systems shall be established and applied to
developments within the organization.
A.14.2.2 System change Control Is there a change management process in place in
control procedures Changes to systems within the development the SDLC?
lifecycle shall be controlled by the use of
formal change control procedures.
A.14.2.3 Technical review of Control Is there a test plan in place for deployment? And are
applications after When operating platforms are changed, security issues part of that testplan? Is that
operating platform business critical applications shall be reviewed documented?
changes and tested to ensure there is no adverse
impact on organizational operations or
security.
A.14.2.4 Restrictions on Control Check if software packages (multiple applications or
changes to software Modifications to software packages shall be code modules that work together to meet various
packages discouraged, limited to necessary changes and goals and objectives) are applicable to your product
all changes shall be strictly controlled. or supporting tooling. If so, check if this was
addressed in your SDLC.
A.14.2.5 Secure system Control Check if your SDLC covers security, security issues
engineering principles Principles for engineering secure systems shall definition, checking security during writing
be established, documented, maintained and requirements and testplan (technical requirements:
applied to any information system check if there is a potential security impact/issue).
implementation efforts.

Page 10 of 13
 Internal Audit Checklist | www.compleye.io

A.14.2.6 Secure development Control How is your development environment secured? Did
environment Organizations shall establish and appropriately you document that in the SDLC? Is the whole SDLC
protect secure development environments for part of that secured environment?
system development and integration efforts
that cover the entire system development
lifecycle.
A.14.2.7 Outsourced Control Check if the outsourcing rules are documented and
development The organization shall supervise and monitor the final approved version saved in Compleye Online
the activity of outsourced system development. Security Policies and Procedures list.
Check if the outsourcing rules specify the data the
outsourcing party has access to (manual check).
Check if the outsourcing party is profiled as high risk
on information security and business continuity and
if there is an additional assessment
A.14.2.8 System security Control Check if security is part of Test Protocol?
A.14.2.9 System acceptance Control Is acceptance testing part of SDLC?
testing Acceptance testing programs and related
criteria shall be established for new information
systems, upgrades and new versions.

A.14.3 Test data

A.14.3.1 Control Check if protection of test data rules were
Test data shall be selected carefully, protected addressed and documented in the SLDC document
and controlled. or any other procedural document. Check what kind
data are used for test data.
A.15 Supplier relationships A.15.1 Information security in supplier relationships
A.15.1.1 Information security Control Check if a Supplier management procedure was
policy for supplier Information security requirements for implemented and the final approved version saved in
relationships mitigating the risks associated with supplier’s Compleye Online Security Policies and Procedures
access to the organization’s assets shall be section.
agreed with the supplier and documented. Check if the supplier overview is filled in and has
been updated less than a year ago
In Additional supplier assessment, check if all fields
are filled and that residual risk is approved
Check if all tools listed in the Software overview are
also listed in the supplier overview (manual check for
now, suggestion on the roadmap)
Check that all suppliers have been assessed on
information security and business continuity risks
Check that all suppliers have an owner (suggestion
on the roadmap)
A.15.1.2 Addressing security Control If the field "Access to restricted data" is checked for
within supplier All relevant information security requirements a supplier, this supplier should be profiled as high risk
agreements shall be established and agreed with each for information security risks
supplier that may access, process, store, Check if suppliers for which the field "Stakeholder in
communicate, or provide IT infrastructure access management overview" is checked, are
components for, the organization’s profiled as high risk for information security risks
information. Check if the additional assessment for High/Medium
Risk profiled suppliers was performed on all fields

A.15.1.3 Information and Control Check if the additional assessment for High/Medium
communication Agreements with suppliers shall include Risk profiled suppliers was reviewed and approved
technology supply requirements to address the information Check if the additional assessment for High/Medium
chain security risks associated with information and Check if improvements resulting from the additional
communications technology services and assessment are included in the improvement section
product supply chain.
For High/Medium Risk profiled suppliers, check if
compliance tab is filled in (manual check)
A.15.2 Supplier service delivery management
A.15.2.1 Monitoring and Control Check in the Access Management
review of supplier Organizations shall regularly monitor, review Procedures/Overview if suppliers have access to
services and audit supplier service delivery. data and if they do check if controls are arranged
(check assessment).
Check in the Supplier overview if suppliers have
access to restricted data. If so verify if the DPA is in
place.
A.15.2.2 Managing changes to Control Check if the changes to Supplier overview is being
supplier services Changes to the provision of services by assessed during the monthly security meeting.
suppliers, including maintaining and improving Check if suppliers are being assessed on an annual
existing information security policies, basis.
procedures and controls, shall be managed,
taking account of the criticality of business
information, systems and processes involved
and re-assessment of risks.
A.16 Information security incident A.16.1 Management of information security incidents and improvements
management A.16.1.1 Responsibilities and Control Check if the incident procedure was documented
procedures Management responsibilities and procedures and the final approved PDF version saved in the
shall be established to ensure a quick, effective Security Policies and Procedures section.
and orderly response to information security
incidents.
A.16.1.2 Reporting Control Check if the ISMS team is established and the roles
information security Information security events shall be reported assigned and the escalation process is established in
events through appropriate management channels as the incident/breach procedure.
quickly as possible.
A.16.1.3 Reporting Control Check if the subject of incident management was
information security Employees and contractors using the addressed during the Security Awareness Training.
weaknesses organization’s information systems and services
shall be required to note and report any
observed or suspected information security
weaknesses in systems or services.

Page 11 of 13
 Internal Audit Checklist | www.compleye.io

A.16.1.4 Assessment of and Control Check if incidents are reported and monitored in the
decision on Information security events shall be assessed Security Metrics.
information security and it shall be decided if they are to be
events classified as information security incidents. Check if the reported incidents were adequately
classified.
A.16.1.5 Response to Control Check if the incident/breach procedural steps were
information security Information security incidents shall be followed and the evidenced documented.
incidents responded to in accordance with the
documented procedures.
A.16.1.6 Learning from Control Check if the improvements are created following the
information security Knowledge gained from analyzing and resolving incident.
incidents information security incidents shall be used to
reduce the likelihood or impact of future
incidents.
A.16.1.7 Collection of Control Check if the security incident/breach reports are
evidence The organization shall define and apply Check if every procedural step for Incident
procedures for the identification, collection, procedures was evidenced and adequately
acquisition and preservation of information, documented.
which can serve as evidence.
A.17 Information security aspects of A.17.1 Information security continuity
business continuity management A.17.1.1 Planning information Control Check if the BCP assessment was performed and
security continuity The organization shall determine its documented.
requirements for information security and the Check if the BCP assessment addressed the
continuity of information security management information security management planning.
in adverse situations, e.g. during a crisis or As per above, check if the BCP assessment was
disaster. performed in the last 12 months.
A.17.1.2 Implementing Control Check if the DRP assessment was performed and
information security The organization shall establish, document, documented.
continuity implement and maintain processes, procedures
and controls to ensure the required level of As per above, check if the DRP assessment was
continuity for information security during an performed in the last 12 months.
adverse situation.

A.17.1.3 Verify, review and Control Check if the security continuity related security
evaluate information The organization shall verify the established controls were established at the planned intervals.
security continuity and implemented information security This includes Data/ Code Restore, Backups, Pen
continuity controls at regular intervals in order As per above, check if the controls were concluded
to ensure that they are valid and effective at the planned intervals and the required evidence
during adverse situations. provided.
A.17.2 Redundancies
A.17.2.1 Availability of Control Check if there is a DRP Plan in place or if the BCP
information Information processing facilities shall be assessment is performed on an annual basis or at
processing facilities implemented with redundancy sufficient to planned intervals.
meet availability requirements. Check if the improvements created following the
BCP or DRP assessment were concluded at the
planned intervals and the required evidence
documented.
Check if contracts and SLAs with customers are
aligned with the content of your BCP/DRP and
other policies where applicable (sample check).
A.18 Compliance A.18.1 Compliance with legal and contractual requirements
A.18.1.1 Identification of Control Check in the Interested Parties & Legal Requirements
applicable legislation All relevant legislative statutory, regulatory, if the applicable regulatory and legislative framework
and contractual requirements and the was defined and documented.
contractual organization’s approach to meet these
requirements requirements shall be explicitly identified,
documented and kept up to date for each
information system and the organization.
A.18.1.2 Intellectual property Control Check if the Intellectual Property scope and purpose
rights Appropriate procedures shall be implemented was defined in the Intellectual Property section in
to ensure compliance with legislative, regulatory Compleye Online Legal section.
and contractual requirements related to Check if the contract with service providers that
intellectual property rights and use of participate in the IP creation includes the relevant IP
proprietary software products. protective clauses.
Check if they have a IP statement.
Check if the contract with employees/contractors
that participate in the IP creation includes the
relevant IP protective clauses.
As per above, the employee/contractors contract
should be received and attached as an evidence.
Check if NDA with relevant third parties are saved
as evidence in the Legal or Supplier sections.
A.18.1.3 Protection of records Control Check in Compleye Online Interested parties and
Records shall be protected from loss, legal requirements section if the ISMS reference field
destruction, falsification, unauthorized access is filled in to evidence how the requirements are
and unauthorized release, in accordance with addressed in the organization's ISMS.
legislator, regulatory, contractual and business
requirements.
A.18.1.4 Privacy and Control Check if the GDPR assessment was concluded in the
protection of Privacy and protection of personally last twelve months.
personally identifiable identifiable information shall be ensured as
information required in relevant legislation and regulation Check if the improvements following the GDPR
where applicable. assessment were created in the Improvement
section.
Check if the findings were implemented
Check if GDPR Legal basis and User documentation
subsections are filled in
If the organization has customers in several
countries, check if section global impact is used to
list additional requirements.

Page 12 of 13
 personally identifiable identifiable information shall be ensured as
information required in relevant legislation and regulation
where applicable.

Internal Audit Checklist | www.compleye.io

Check if all countries of operations are listed and if

the section was reviewed less than a year ago.
Check if a DPIA was performed and concluded and
the required evidence documented.
A.18.1.5 Regulation of Control Check if the Cryptographic Procedure was
cryptographic Cryptographic controls shall be used in documented and if the final and approved PDF
controls compliance with all relevant agreements, version was saved in the Security Policies and
legislation and regulations. If applicable, check if the Cyptographic Procedure
makes a reference to any specifc rules and
regulations.
Check if the Cryptographic related controls are
established in the Security Control and Measures
section together with the assigned owners and
planned review intervals.
A.18.2 Information security reviews
A.18.2.1 Independent review Control Check if the internal audit was performed and
of information The organization’s approach to managing concluded at planed intervals.
security information security and its implementation (i.e.
Check if the improvements /non conformities
control objectives, controls, policies, processes
identified following the internal audit were
and procedures for information security) shall addressed and the required evidence provided and
be reviewed independently at planned intervals attached
or when significant changes occur. Check if all Policies & Procedures are reviewed on
planned intervals (check the review and approvals in
Compleye Online)
Check if all controls are conducted on planned
intervals. (check the overdue controls in Compleye
Online)
A.18.2.2 Compliance with Control Check if regular Security Meetings have been taking
security policies and Managers shall regularly review the compliance place to review the Security Metrics on interval
standards of information processing and procedures Check if all other topics (and changes) have been
within their area of responsibility with the subject to security meetings.
appropriate security policies, standards and any
other security requirements.
A.18.2.3 Technical compliance Control Check if the annual assessment of all of the security
review Information systems shall be regularly reviewed policies and procedures was assessed and concluded.
for compliance with the organization’s
information security policies and standards. Check if the PEN Testing was performed at the
planned intervals (at least annually) and if the
improvements defined were actioned and addressed.

Check if the scanning of technical vulnerabilties is

performed and if the vulnerabilities defined were
actioned and addressed.

Page 13 of 13