CIC

ISO 27001:2022
Information Security, Cybersecurity,
and Privacy Protection

Internal Audit Checklist

Organization Name
CONTEXT
THE ORGANISATION

☐ Have we determined internal and external issues that will impact on our information
security management system? “NO/YES”

☐ Have we determined which stakeholder requirements are addressed through the

information security management system? “NO/YES”

Interested Parties

☐ Have we determined what internal and external interested parties are relevant to the
information security management system and what their requirements are? “NO/YES”

Scope

☐ Have we determined the boundaries of the information security

management system and documented the scope? “NO/YES”

Leadership
Leadership and Commitment

☐
Can we demonstrate top management is providing leadership and commitment to the
information security management system? “NO/YES”

Information Security Policy

☐ Have we documented an information security policy that is
communicated and available? “NO/YES”

Roles and Responsibilities

☐ Are roles and responsibilities for information security communicated and
understood? “NO/YES”
Planning
Risks and Opportunities

☐ Have we determined the information security risks and opportunities related to our
organization? “NO/YES”

☐ Have we implemented a documented information security risk assessment process? “NO/YES”

Statement of Applicability

☐ Have we documented a risk treatment plan and Statement of Applicability with regard to
controls? “NO/YES”

Information Security Objectives

☐ Have we established information security objectives? “NO/YES”

☐ Are our information security objectives available as documented information? “NO/YES”

☐ Do we monitor, measure, and communicate them? “NO/YES”

☐ Do we have plans to achieve them? “NO/YES”

☐ Have we maintained records? “NO/YES”

Planning of changes

☐ Are changes to the information security management system

carried out in a manner that is planned? “NO/YES”
Support
Resources

☐ Have we determined and ensured necessary resources are in place for the information
security management system? “NO/YES”

Competence
☐ Do we ensure competence of personnel? “NO/YES”

☐ Do we maintain records? “NO/YES”

Awareness

☐ Have we ensured that personnel are aware of our policy, relevant objectives, and their
responsibilities? “NO/YES”

Communication

☐ Have we determined processes for internal and external communication relevant to

information security? “NO/YES”

Control of Documents
☐ Do we ensure documents and records are controlled? “NO/YES”

Operations
Operational Planning and Control

☐ Have we established and maintained procedures to meet the requirements of the

information security management system? “NO/YES”

☐ Have we established criteria for processes, and do we maintain control of the processes in
accordance with these criteria? “NO/YES”

Risk Assessment

☐ Do we assess risk at planned intervals and when significant changes occur, and do we
maintain records? “NO/YES”

Risk Treatment

☐ Have we implemented risk treatment plans, and do we maintain records? “NO/YES”

Performance Evaluation
Monitoring & Measurement

☐ Do we monitor things such as processes, operational controls, access, usage, change? “NO/YES”

☐ Do we measure things such as KPIs, performance against targets? “NO/YES”

☐ Do we analyse this information and maintain records? “NO/YES”

Internal Audit

☐ Do we plan and conduct internal audits to ensure the information security system conforms
to requirements and is implemented effectively? “NO/YES”

☐ Do we maintain records? “NO/YES”

Management Review

☐
Does our top management review our information security management system at planned
intervals? “NO/YES”

☐ Do we maintain records? “NO/YES”

Do we include decisions relating to continual improvement and any need for changes in
☐ the documented results of the management reviews? “NO/YES”
Improvement
Continual Improvement

☐ Do we continually improve the information security management system? “NO/YES”

Nonconformity and Corrective Action

☐ Do we take control of, correct and deal with the consequences of nonconformities raised?
“NO/YES”

☐ Do we review and determine the root cause of the nonconformity? “NO/YES”

Do we review the effectiveness of corrective action taken and use this knowledge to make
☐ changes or improvements to the information security management system? “NO/YES”

☐ Do we maintain records? “NO/YES”

 ANNEX A
Control Status
5 Organizational Controls

5.1 Policies for A set of information security policies relevant to

information interested parties
security
5.2 Information security Defining and allocating roles and responsibilities within the
roles and responsibilities information security management system as appropriate and
in accordance with organizational
needs
5.3 Segregation of duties Conflicting duties and areas of responsibility are
handled separately from each other
5.4 Management Management ensures all personnel are applying
responsibilities information security in accordance with the established
policies and procedures of the organisation

5.5 Contact with Contact with relevant authorities is established and

authorities maintained by the organisation
5.6 Contact with Contact with special interest groups, specialist
special interest security forums and/or professional associations is established
groups and maintained by the organisation
5.7 Threat intelligence The organisation collects and analyses information relating
to information security threats
5.8 Information security Information security is integrated into management
in of projects
project management
5.9 Inventory of Development and maintenance of an inventory of
information and information and other associated assets, including
other owners
associated assets
5.10 Acceptable use of Defined, documented, and implemented rules for the
information and other acceptable use and procedures for handling information and
Associated assets other associated assets
5.11 Return of assets Assets belonging to the organisation in the possession of
personnel and other interested parties are returned to the
organisation upon change to or termination of their
employment, contract, or agreement

5.12 Classification of Information is classified based on confidentiality, integrity,

information availability, and relevant interested party requirements

5.13 Labelling of A set of defined, documented, and implemented

information procedures for labeling of information aligned with
the information classification scheme
5.14 Information transfer Defined and implemented rules, procedures, or
agreements for all types of transfer facilities within
 the organisation as well as between the organisation
and other parties
5.15 Access control Defined and documented rules to control physical
and logical access to information
5.16 Identity management Management of identities for their full life cycle

5.17 Authentication information Allocation and management of authentication

information, such as usernames and passwords, is
controlled by a management process that includes
advising personnel on appropriate handling of
authentication information
5.18 Access rights Provisioning, reviewing, and monitoring of access
rights to information and other assets in accordance
with the relevant policy and rules for access control
5.19 Information security in Defined and implemented processes and procedures
supplier relationships for managing information security risks associated
with the use of supplier products or services
5.20 Addressing information Establishing and agreeing upon information security
security within requirements in supplier relationships
supplier agreements
5.21 Managing information Defined and implemented processes and procedures
security in the information and to manage information security risks associated with
communication technology ICT products and services supply chain
(ICT)supply chain
5.22 Monitoring, review and Regular monitoring, review, and evaluation of
change management of changes in supplier information security practices
supplier
services
5.23 Information security for use Establishing processes for the acquisition, use,
of cloud services management, and exit from cloud services in
accordance with the organisational information
security requirements
5.24 Information security Defined, implemented, and communicated processes
incident management as well as roles and responsibilities for management
planning and of an information security incident
preparation
5.25 Assessment and decision on Assessing information security events to determine if
information security events they are to be categorised as information security
incidents
5.26 Response to information Documented and implemented procedures on
security appropriate response to information security
incidents incidents
5.27 Learning from information Strengthening and improving controls based on
security incidents knowledge gained from information security
incidents
5.28 Collection of evidence Establishing and implementing procedures for
identification, collection, acquisition, and
preservation of evidence relating to information
security events
5.29 Information security Developing a plan to maintain information security at
during an appropriate level during disruption
disruption
5.30 ICT readiness for Implementing processes so the organisation can continue
business continuity operations as usual in case of a disruption
that affects ICT
5.31 Legal, statutory, Identifying, documenting and keeping up to date with legal,
regulatory, and statutory, regulatory and contractual requirements relevant
contractual requirements to information security
5.32 Intellectual property Implementing appropriate procedures to protect
rights intellectual property rights
5.33 Protection of records Storing records such that they are protected from loss,
destruction, falsification, unauthorised access,
and unauthorised release
5.34 Privacy and Identifying and meeting relevant requirements regarding
protection of personal preservation of privacy and protection of PII
identifiable information
(PII)
5.35 Independent Independent reviews at planned intervals, or when
review of significant changes occur, of the organisational approach
information security to managing information security and its implementation
including people, processes, and technologies

5.36 Compliance with Regularly reviewing organisational compliance with its

policies, rules, and information security policy and topic-specific
standards for policies, rules, and standards
information security
5.37 Documented Documented procedures for information processing
operating facilities
procedures
6 People Controls
6.1 Screening Conducting background checks on all candidates prior
to joining the organisation as well as on an ongoing
basis
6.2 Terms and Documenting both personnel and organisational
conditions of responsibilities for information security in
employment employment contractual agreements
6.3 Information Regularly providing personnel of the organisation and other
security awareness, relevant interested parties appropriate information security
education, and awareness, education, and
training training as well as updates of the organisation’s
information security policy, topic-specific policies, and
procedures as appropriate to their job
6.4 Disciplinary process Formalising and communicating a process to take actions
against personnel and other relevant interested parties
who violate information security
policies
6.5 Defining, enforcing, and communicating to relevant
Responsibilities personnel and interested parties the responsibilities and
after termination duties that remain after termination or change of
or change of employment
employment
6.6 Confidentiality Documenting and regularly reviewing confidentiality or
or non-disclosure non-disclosure agreements signed by personnel and other
agreements relevant parties as per organisational
needs
6.7 Remote working Implementing security measures when personnel are
working remotely such that information accessed,
processed, or stored outside the organisation’s
premises is protected
6.8 Information Providing a method by which personnel can report
security event observed or suspected information security events
reporting through appropriate channels and in a timely manner
7 Physical Controls
7.1 Physical security Defining security perimeters to protect areas that
perimeters contain information and other associated assets
7.2 Physical entry Protecting secure areas with appropriate entry
controls and access points
7.3 Securing offices, Designing and implementing physical security for offices,
rooms, and facilities rooms, and facilities
7.4 Physical security Continuous monitoring of premises for unauthorised
monitoring physical access
7.5 Protecting against Designing and implementing infrastructure to protect
physicaland against physical and environmental threats such as natural
environmental threats disasters
7.6 Working in secure areas Designing and implementing security measures for
working in secure areas
7.7 Clear desk and clear Defining and enforcing clear desk rules for papers and
screen removable storage, as well as clear screen rules for
information processing facilities
7.8 Equipment siting and Securely siting and protecting equipment
protection
7.9 Security of Protecting assets that are stored off-site
assets off-
premises
7.10 Storage media Managing storage media through their life cycle of
acquisition, use, transportation, and disposal in
accordance with the organisation’s classification
scheme and handling requirements
7.11 Supporting utilities Protecting information processing facilities from
power failures and other disruptions
7.12 Cabling security Protecting cables carrying power, data, or supporting
information services from interception, interference, or
damage
7.13 Equipment Maintaining equipment correctly to ensure the
maintenance availability, integrity, and confidentiality of
information
7.14 Secure disposal or re- Verifying items of equipment containing storage
use of media to ensure that any sensitive data and licensed
equipment
 software has been removed or securely overwritten
prior to disposal or re-use
8 Technological Controls
8.1 User end point devices Protecting information stored on, processed by, or
accessible via user end point devices
8.2 Privileged access rights Restricting and managing the use or privileged access
rights
8.3 Information access Restricting access to information and other
restriction associated assets in accordance with the
organisation’s access control policy
8.4 Access to source code Managing read and write access to source code,
development tools and software libraries
8.5 Secure authentication Implementing secure authentication technologies and
procedures based on access restrictions and the
organisation’s access control policy
8.6 Capacity management Monitoring and adjusting the use of resources in line with
current and expected capacity requirements
8.7 Protection against Implementing malware protection supported by user
malware awareness
8.8 Management of Obtaining information about technical vulnerabilities,
technical evaluating the organisation’s exposure to such
vulnerabilities vulnerabilities, and taking appropriate measures
8.9 Configuration Establishing, documenting, implementing, monitoring,
management and reviewing configurations including
security configurations of hardware, software,
services, and networks
8.10 Information deletion Deleting information stored in information systems,
devices, or other storage media when the information is
no longer required
8.11 Data masking Masking data as appropriate and in accordance with
the organisation’s access control policy and other
relevant legislation
8.12 Data leakage Applying measures to systems, networks, and any other
prevention devices that process, store, or transmit
sensitive data to prevent leakage of data
8.13 Information backup Maintaining backup copies of information, software,
and systems
8.14 Redundancy of Implementing sufficient redundancy in information
information processing processing systems to meet availability requirements
facilities
8.15 Logging Producing, storing, protecting, and analysing logs that record
activities, exceptions, faults, and other
relevant events
8.16 Monitoring activities Monitoring networks, systems, and applications for unusual
behaviour and taking appropriate actions to
evaluate potential for information security events
8.17 Clock synchronisation Synchronising clocks of information processing
systems to approve time sources
8.18 Use of privileged Restricting the use of utility programs that can
utility override system and application controls
programs
8.19 Installation of Implementing procedures to securely manage installation of
software on operational software on operational systems
systems
8.20 Networks security Securing, managing, and controlling networks and
network devices to protect information in systems and
applications
8.21 Security of network Implementing and monitoring security mechanisms,
services service levels, and service requirements of network
services
8.22 Segregation of Segregating groups of information services, users, and
networks information systems in the organisation’s networks

8.23 Web filtering Managing access to external websites to reduce

exposure to malicious content
8.24 Use of cryptography Defining and implementing rules for effective use of
cryptography, including cryptographic key
management
8.25 Secure Establishing and applying rules for the secure
development lifecycle development of software and systems
8.26 Application security Identifying information security requirements when
requirements developing or acquiring applications
8.27 Secure system Establishing, documenting, maintaining, and applying
architecture and principles for engineering secure systems to all information
engineering principles system development activities
8.28 Secure coding Applying secure coding principles to software
development
8.29 Security testing in Defining and implementing processes for security
development and testing within the development life cycle
acceptance
8.30 Outsourced Monitoring and reviewing development activities that
development have been outsourced
8.31 Separation of Secure, separate environments for development, testing, and
development, test, and production
production environments
8.32 Change management Procedures implemented to manage changes to
information processing facilities and information
systems
8.33 Test information Appropriate selection, protection, and management
of information used for testing
8.34 Protection of Planning and appropriately managing audit tests and other
information systems assurance activities of operational systems
during audit testing