How to audit ISO 27001

Information classification is the foundation of any good Information Security Management System (ISMS). If you get this basic step wrong, many of your other security controls will likely fail. This guide cuts through the noise to give you a clear framework for managing and auditing information classification. This will help you meet the needs of […]

Introduction: More Than Just Labels Information classification is the foundation of a strong Information Security Management System (ISMS). It is defined in ISO 27001 Annex A 5.12 Classification of information. For any organisation with limited time, getting this right is the first step to success. It ensures all your later security efforts work well. If you

Introduction: More Than Just a Checklist You might think ISO 27001 Annex A 5.11 Return of assets is just a simple HR task. However, as a lead auditor, I often see this become a major failure point during ISO 27001 audits. You need to view this control as more than a line on an off boarding

Introduction: The Hidden Risk in a Leaver’s Laptop What keeps your security chief up at night? It is a question that seems simple. However, the answer often goes beyond firewall breaches or phishing attacks. When a trusted person leaves your organisation, the biggest danger is not just their disabled access badge. It is what they

Of all the controls in the ISO 27001 framework, Annex A 5.10 Acceptable use of information and other associated assets, is likely the most critical for managing the human side of security. This control governs how people interact with your best assets, from data and software to hardware and cloud services. Because it is the

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets, manages the most unpredictable part of security: people. This control acts as a vital shield. It sets clear ground rules for everyone who touches your company’s data or systems. This applies to staff, contractors, and third-party users alike. When we say “associated

If you want to make an Information Security Manager sweat, ask to see their Asset Inventory. It is the one document that is almost guaranteed to be out of date the moment it is saved. For an auditor, Annex A 5.9 (formerly A.8.1.1 in the 2013 version) is a goldmine. It is the thread that,

If you ask a Project Manager (PM) about their top priorities, they will likely list “Budget,” “Timeline,” and “Scope.” If you are lucky, they might whisper “Quality.” Security? That usually gets tacked on the week before the go-live date. As an auditor, or someone preparing for an audit, your job with ISO 27001 Annex A

Auditing Annex A 5.7 (Threat Intelligence) can be tricky because it is one of the new controls in the 2022 standard. Unlike checking a firewall rule or a locked door, auditing “intelligence” feels abstract. How do you audit a thought process? As an auditor, or someone preparing to face one, you need to move past

If you are auditing ISO 27001 Annex A 5.6, you might be tempted to just ask for a list of memberships, tick the box, and move on. Don’t do that. This control is often underestimated, but it is actually the pulse check of an organization’s security culture. Annex A 5.6 isn’t just about paying dues

Auditing ISO 27001 Annex A 5.5 is often treated as a “tick-box” exercise, which is exactly where organizations, and auditors, go wrong. On the surface, it seems simple: does the company have a list of phone numbers? But a good audit goes deeper. It asks: If the building is on fire or the server is

Auditing ISO 27001 Annex A 5.4 is where the rubber meets the road. While other controls look at firewalls or locked doors, this control looks at culture. It asks a simple but uncomfortable question: Does management actually care, or is this just a paper exercise? As an auditor (or someone preparing for an audit), your

In the world of information security, technology often gets the spotlight. We talk about firewalls, encryption, and advanced threat detection systems. Yet, the most sophisticated security system can be undermined by a single, unintentional human error. This is where ISO 27001 Clause 7.3 Awareness proves its critical importance. This clause is not just about ticking

In the world of information security management, ISO 27001 Clause 7.3 Awareness is far more than a compliance item to be satisfied with a single annual training video. It is the cornerstone of a resilient security culture. An effective awareness programme transforms security from a niche IT concern into an embedded, shared responsibility that permeates

At its core, ISO 27001 Clause 6.2 is not about bureaucratic box-ticking; it is about defining the very purpose—the ‘why’—of an organisation’s Information Security Management System (ISMS). This clause requires an organisation to establish clear, actionable information security objectives, effectively creating a strategic roadmap for its security efforts. For an auditor, this is a critical

In the world of information security, ISO 27001 Clause 6.2 Information security objectives and planning to achieve them, is far more than a bureaucratic box-ticking exercise. Think of it as the strategic compass for your entire Information Security Management System (ISMS). This clause compels an organisation to move beyond vague intentions and establish a clear

In the world of information security and IT operations, change is the only constant. Yet, uncontrolled change is a primary source of costly service outages, data breaches, and compliance failures. A seemingly minor, undocumented update can cascade into a major security incident. For this reason, a robust change management process is not a bureaucratic hurdle—it

In the world of information security, change management is the living backbone of credible, auditable compliance. Far from being a bureaucratic hurdle, a robust change management process is your primary defence against the very chaos it is designed to control. According to Gartner, nearly 70% of service outages originate from uncontrolled or undocumented changes—a primary

While robust testing is the bedrock of successful software development and system maintenance, test environments are frequently a significant security weak spot and a common source of audit findings. The pressure to innovate quickly can lead to shortcuts that expose sensitive data, turning a critical quality assurance process into a high-risk liability. This article provides

Facing an ISO 27001 audit can feel like preparing for a final exam, especially when navigating technical controls. For many business leaders, Annex A 8.33, which governs the security of test information, can seem particularly overwhelming. You are not alone in feeling this way; it is a common point of stress and uncertainty. However, properly

The process of an information systems audit presents a fundamental paradox: the very activities designed to verify and strengthen security can, if managed improperly, introduce significant risks. An uncontrolled audit can disrupt critical services, compromise sensitive data, or even cause system failures. This guide provides a practical, clear walkthrough on how to conduct secure and

Information system audits are a cornerstone of any effective security programme. They are essential for verifying that security controls are functioning as intended and for ensuring compliance with standards. However, this necessary scrutiny presents a fundamental challenge: the very act of auditing can introduce significant risks to the live, operational systems that power the business.

Mastering ISO 27001 Clause 7.1 is the foundation of a resilient Information Security Management System (ISMS). As a lead auditor, I have seen that the most successful organisations view “Resources” not as a bureaucratic hurdle, but as the tangible proof of senior management’s commitment to security. Whether it is human capital, budget, or technical tools,

Auditing ISO 27001 Clause 7.1 (Resources) is a critical phase in achieving and maintaining UKAS-accredited certification. This clause transitions an Information Security Management System (ISMS) from theoretical policy to operational reality. By verifying an organisation’s tangible commitment through people, budget, and infrastructure, an audit confirms that information security is a functional pillar of business operations.

While the ISO 27001 standard can appear daunting, Clause 7.2 on “Competence” is where compliance becomes intensely practical. It focuses on your people—your first and last line of defence. This guide serves as your blueprint, moving beyond theory to detail precisely what ISO 27001 auditors scrutinise, the evidence they demand, and how to demonstrate staff

In information security, a robust management system is built on more than just technology and policies; it is built on the people who operate it. ISO 27001 Clause 7.2 (Competence) is the bedrock of this human element. It ensures your team possesses the necessary skills, knowledge, and experience to protect your organisation’s valuable information assets.

The 2022 update to the ISO 27001 standard introduced a vital requirement: Clause 6.3, “Planning of changes.” While new clauses often cause concern for organisations undergoing certification, this addition simply formalises best-practice processes. In my 30 years as an auditor, I have found that this clause ensures modifications to the Information Security Management System (ISMS)

Introduction: Demystifying Change Planning in ISO 27001:2022 The ISO 27001:2022 update introduced Clause 6.3, ‘Planning of Changes’. For those preparing for an audit, this addition is not a complex hurdle but a formalisation of mature best practices: managing change in a deliberate, planned manner. As an auditor with over 30 years of experience, I view

One of the most fundamental, and frequently fumbled parts of the ISO 27001 standard is Clause 5.3. As an “ISO 27001 ninja” with extensive audit experience, I have seen accountability forged or forgotten within this specific clause. While Clause 5.3 covers organisational roles, responsibilities, and authorities, it is often where Information Security Management System (ISMS)

In my 30 years as an auditor, I have witnessed more Information Security Management System (ISMS) projects fail due to fuzzy roles than complex cyber-attacks. When accountability is absent, tasks remain incomplete. This is why ISO 27001 Clause 5.3, “Organisational roles, responsibilities and authorities,” is critical. Clause 5.3 mandates that organisations eliminate ambiguity by ensuring

Welcome to a practical, step-by-step guide on how to audit information security policies under ISO 27001 Annex A 5.1. Drawing from direct experience as a lead auditor, this guide aims to demystify the process for internal teams preparing for an audit and new auditors seeking to understand key focus areas. The goal is to clarify

Achieving ISO 27001 certification is a massive milestone for any organisation. It proves you are serious about information security. But at the very foundation of this achievement lies a clear, comprehensive set of documents: your information security policies. These aren’t just bureaucratic hurdles. They are strategic directives that guide your entire security programme. The specific

The ISO 27001 Clause 4.4 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of ISO 27001 Clause 4.4 The Information Security Management System (ISMS) The 10 point ISO 27001 audit plan sets out what to audit, the challenges faced and the audit techniques to adopt. Establishing