In this guide for ISO 27001 auditors, for each ISO 27001 control you will get
- a 10 point ISO 27001 audit checklist with detailed audit steps and the Pass/Fail Test
- a SaaS / GRC Platform Failure Checklist
The 10 point audit checklist provides
- verification criteria,
- required evidence
- and the Pass/Fail Test.
The SaaS / GRC Platform Failure Checklist give you
- the control requirement,
- the checkbox compliance trap and the common way SaaS and GRC Platforms fail audits
- and the reality check of how to audit such platforms
Table of contents
How to Audit ISO 27001 Organisational Controls (Clause 5)
| ISO 27001 Annex A Control | Control Name | Audit Purpose & Compliance Check | Audit Guide Link |
| ISO 27001 Annex A 5.1 | Policies for information security | Verify that information security policies are defined, approved by management, published, and communicated to all employees and relevant external parties. | How to audit ISO 27001 Annex A 5.1 |
| ISO 27001 Annex A 5.2 | Information security roles and responsibilities | Audit evidence that security roles are clearly defined and assigned to individuals with the appropriate authority and competence. | How to audit ISO 27001 Annex A 5.2 |
| ISO 27001 Annex A 5.3 | Segregation of duties | Check that conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of assets. | How to audit ISO 27001 Annex A 5.3 |
| ISO 27001 Annex A 5.4 | Management responsibilities | Verify that management requires all personnel to apply information security in accordance with the established policies and procedures of the organization. | How to audit ISO 27001 Annex A 5.4 |
| ISO 27001 Annex A 5.5 | Contact with authorities | Audit the existence of an up-to-date contact list for relevant legal, regulatory, and supervisory authorities to be used during a security incident. | How to audit ISO 27001 Annex A 5.5 |
| ISO 27001 Annex A 5.6 | Contact with special interest groups | Ensure the organization maintains appropriate contact with special interest groups, security forums, and professional associations to stay updated on threat intelligence. | How to audit ISO 27001 Annex A 5.6 |
| ISO 27001 Annex A 5.7 | Threat intelligence | Verify the collection and analysis of threat intelligence information to identify and mitigate current security threats relevant to the organization. | How to audit ISO 27001 Annex A 5.7 |
| ISO 27001 Annex A 5.8 | Information security in project management | Check that information security risks are addressed and requirements are integrated into project management methodologies for all types of projects. | How to audit ISO 27001 Annex A 5.8 |
| ISO 27001 Annex A 5.9 | Inventory of information and other associated assets | Audit the inventory of information and other associated assets to ensure it is maintained, accurate, and includes ownership details. | How to audit ISO 27001 Annex A 5.9 |
| ISO 27001 Annex A 5.10 | Acceptable use of information and other associated assets | Verify that rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented, and implemented. | How to audit ISO 27001 Annex A 5.10 |
| ISO 27001 Annex A 5.11 | Return of assets | Audit the process for ensuring all assets are returned by employees or external parties upon termination of their employment, contract, or agreement. | How to audit ISO 27001 Annex A 5.11 |
| ISO 27001 Annex A 5.12 | Classification of information | Verify that information is classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. | How to audit ISO 27001 Annex A 5.12 |
| ISO 27001 Annex A 5.13 | Labelling of information | Check that an appropriate set of procedures for information labelling is implemented in accordance with the information classification scheme adopted by the organization. | How to audit ISO 27001 Annex A 5.13 |
| ISO 27001 Annex A 5.14 | Information transfer | Audit the rules, procedures, and agreements in place to protect information transferred between the organization and other external parties. | How to audit ISO 27001 Annex A 5.14 |
| ISO 27001 Annex A 5.15 | Access control | Verify the access control policy is established, documented, and reviewed based on business and information security requirements. | How to audit ISO 27001 Annex A 5.15 |
| ISO 27001 Annex A 5.16 | Identity management | Check the full lifecycle of identity management to ensure unique identification and appropriate authentication of users for access to systems. | How to audit ISO 27001 Annex A 5.16 |
| ISO 27001 Annex A 5.17 | Authentication information | Audit the allocation and management of authentication information (like passwords and tokens) to ensure user responsibility and protection. | How to audit ISO 27001 Annex A 5.17 |
| ISO 27001 Annex A 5.18 | Access rights | Verify the process for provisioning, modifying, and removing access rights to information and other associated assets. | How to audit ISO 27001 Annex A 5.18 |
| ISO 27001 Annex A 5.19 | Information security in supplier relationships | Check that information security requirements are agreed upon and documented with each supplier that accesses the organization’s assets. | How to audit ISO 27001 Annex A 5.19 |
| ISO 27001 Annex A 5.20 | Addressing information security within supplier agreements | Audit supplier agreements to ensure they establish and agree upon relevant information security obligations between the organization and the supplier. | How to audit ISO 27001 Annex A 5.20 |
| ISO 27001 Annex A 5.21 | Managing information security in the ICT supply chain | Verify processes for managing risks associated with the information and communication technology (ICT) products and services supply chain. | How to audit ISO 27001 Annex A 5.21 |
| ISO 27001 Annex A 5.22 | Monitoring, review and change management of supplier services | Audit the regular monitoring and review of supplier services to ensure they meet the agreed information security requirements and service levels. | How to audit ISO 27001 Annex A 5.22 |
| ISO 27001 Annex A 5.23 | Information security for use of cloud services | Verify the process for acquisition, use, management, and exit from cloud services in accordance with the organization’s information security requirements. | How to audit ISO 27001 Annex A 5.23 |
| ISO 27001 Annex A 5.24 | Information security incident management planning and preparation | Check that processes are in place to ensure a quick, effective, and orderly response to information security incidents. | How to audit ISO 27001 Annex A 5.24 |
| ISO 27001 Annex A 5.25 | Assessment and decision on information security events | Audit the process for assessing information security events and deciding if they should be classified as information security incidents. | How to audit ISO 27001 Annex A 5.25 |
| ISO 27001 Annex A 5.26 | Response to information security incidents | Verify that information security incidents are responded to in accordance with the documented procedures. | How to audit ISO 27001 Annex A 5.26 |
| ISO 27001 Annex A 5.27 | Learning from information security incidents | Check that knowledge gained from analyzing and resolving information security incidents is used to reduce the likelihood of future incidents. | How to audit ISO 27001 Annex A 5.27 |
| ISO 27001 Annex A 5.28 | Collection of evidence | Audit the procedures for the identification, collection, acquisition, and preservation of evidence related to information security events. | How to audit ISO 27001 Annex A 5.28 |
| ISO 27001 Annex A 5.29 | Information security during disruption | Verify that information security is maintained at an appropriate level during disruption to business operations. | How to audit ISO 27001 Annex A 5.29 |
| ISO 27001 Annex A 5.30 | ICT readiness for business continuity | Check that ICT readiness is planned, implemented, maintained, and tested to ensure business continuity objectives are met. | How to audit ISO 27001 Annex A 5.30 |
| ISO 27001 Annex A 5.31 | Legal, statutory, regulatory and contractual requirements | Audit the identification and documentation of all relevant legal, statutory, regulatory, and contractual requirements and the organization’s approach to meet them. | How to audit ISO 27001 Annex A 5.31 |
| ISO 27001 Annex A 5.32 | Intellectual property rights | Verify that procedures are implemented to protect intellectual property rights and ensure compliance with legal obligations. | How to audit ISO 27001 Annex A 5.32 |
| ISO 27001 Annex A 5.33 | Protection of records | Check that records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release. | How to audit ISO 27001 Annex A 5.33 |
| ISO 27001 Annex A 5.34 | Privacy and protection of PII | Audit compliance with privacy and protection of personally identifiable information (PII) according to relevant laws and regulations. | How to audit ISO 27001 Annex A 5.34 |
| ISO 27001 Annex A 5.35 | Independent review of information security | Verify that the organization’s approach to managing information security is reviewed independently at planned intervals or when significant changes occur. | How to audit ISO 27001 Annex A 5.35 |
| ISO 27001 Annex A 5.36 | Compliance with policies, rules and standards for information security | Check that managers regularly review the compliance of information processing and procedures within their area of responsibility. | How to audit ISO 27001 Annex A 5.36 |
| ISO 27001 Annex A 5.37 | Documented operating procedures | Audit the documentation and availability of operating procedures for information processing facilities to ensure correct and secure operation. | How to audit ISO 27001 Annex A 5.37 |
How to Audit ISO 27001 People Controls (Clause 6)
| ISO 27001 Annex A Control | Control Name | Audit Purpose & Compliance Check | Audit Guide Link |
| ISO 27001 Annex A 6.1 | Screening | Audit checklist to verify background checks on all candidates prior to joining, proportionate to business risk and laws. | How to audit ISO 27001 Annex A 6.1 |
| ISO 27001 Annex A 6.2 | Terms and conditions of employment | Verify that employment contracts state the employee’s and the organization’s responsibilities for information security. | How to audit ISO 27001 Annex A 6.2 |
| ISO 27001 Annex A 6.3 | Information security awareness, education and training | Check that personnel receive appropriate awareness, education, and training and are updated on organizational policies. | How to audit ISO 27001 Annex A 6.3 |
| ISO 27001 Annex A 6.4 | Disciplinary process | Audit the formal disciplinary process for taking action against personnel who have committed an information security breach. | How to audit ISO 27001 Annex A 6.4 |
| ISO 27001 Annex A 6.5 | Responsibilities after termination or change of employment | Verify that information security responsibilities and duties remain valid after termination or change of employment. | How to audit ISO 27001 Annex A 6.5 |
| ISO 27001 Annex A 6.6 | Confidentiality or non-disclosure agreements | Check that confidentiality or non-disclosure agreements regarding information are identified, reviewed, and signed. | How to audit ISO 27001 Annex A 6.6 |
| ISO 27001 Annex A 6.7 | Remote working | Audit security measures for remote working sites to ensure the protection of information accessed or processed outside the office. | How to audit ISO 27001 Annex A 6.7 |
| ISO 27001 Annex A 6.8 | Information security event reporting | Verify that a mechanism exists for personnel to report observed or suspected information security weaknesses and events. | How to audit ISO 27001 Annex A 6.8 |
How to Audit ISO 27001 Physical Controls (Clause 7)
| ISO 27001 Annex A Control | Control Name | Audit Purpose & Compliance Check | Audit Guide Link |
| ISO 27001 Annex A 7.1 | Physical security perimeters | Audit checklist to verify that security perimeters are defined and used to protect areas that contain information assets. | How to audit ISO 27001 Annex A 7.1 |
| ISO 27001 Annex A 7.2 | Physical entry | Verify that secure areas are protected by appropriate entry controls to ensure only authorized personnel are granted access. | How to audit ISO 27001 Annex A 7.2 |
| ISO 27001 Annex A 7.3 | Securing offices, rooms and facilities | Check that physical security for offices, rooms, and facilities is designed and applied effectively to prevent unauthorized access. | How to audit ISO 27001 Annex A 7.3 |
| ISO 27001 Annex A 7.4 | Physical security monitoring | Audit the continuous monitoring of physical security perimeters for unauthorized access or suspicious behavior. | How to audit ISO 27001 Annex A 7.4 |
| ISO 27001 Annex A 7.5 | Protecting against physical and environmental threats | Verify protection against natural disasters, malicious attacks, or accidents that could damage information assets. | How to audit ISO 27001 Annex A 7.5 |
| ISO 27001 Annex A 7.6 | Working in secure areas | Check that security protocols for working in secure areas are designed and applied to prevent unauthorized activities. | How to audit ISO 27001 Annex A 7.6 |
| ISO 27001 Annex A 7.7 | Clear desk and clear screen | Audit the implementation of clear desk rules for papers and removable storage media and clear screen rules for information processing facilities. | How to audit ISO 27001 Annex A 7.7 |
| ISO 27001 Annex A 7.8 | Equipment siting and protection | Verify that equipment is sited and protected to reduce risks from environmental threats and hazards and opportunities for unauthorized access. | How to audit ISO 27001 Annex A 7.8 |
| ISO 27001 Annex A 7.9 | Security of assets off-premises | Check that assets taken off-site are secure, taking into account the different risks of working outside the organization’s premises. | How to audit ISO 27001 Annex A 7.9 |
| ISO 27001 Annex A 7.10 | Storage media | Audit the procedures for the management of removable storage media, including classification, handling, and disposal. | How to audit ISO 27001 Annex A 7.10 |
| ISO 27001 Annex A 7.11 | Supporting utilities | Verify that supporting utilities (e.g., electricity, water, HVAC) are protected from power failures and other disruptions. | How to audit ISO 27001 Annex A 7.11 |
| ISO 27001 Annex A 7.12 | Cabling security | Check that power and telecommunications cabling carrying data or supporting information services is protected from interception or damage. | How to audit ISO 27001 Annex A 7.12 |
| ISO 27001 Annex A 7.13 | Equipment maintenance | Audit the maintenance of equipment to ensure its continued availability and integrity according to supplier recommendations. | How to audit ISO 27001 Annex A 7.13 |
| ISO 27001 Annex A 7.14 | Secure disposal or re-use of equipment | Verify that all items of equipment containing storage media are verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. | How to audit ISO 27001 Annex A 7.14 |
How to Audit ISO 27001 Technological Controls (Clause 8)
| ISO 27001 Annex A Control | Control Name | Audit Purpose & Compliance Check | Audit Guide Link |
| ISO 27001 Annex A 8.1 | User endpoint devices | Audit checklist to verify that user endpoint devices are protected to prevent unauthorized access and data leakage. | How to audit ISO 27001 Annex A 8.1 |
| ISO 27001 Annex A 8.2 | Privileged access rights | Verify that the allocation and use of privileged access rights are restricted and controlled. | How to audit ISO 27001 Annex A 8.2 |
| ISO 27001 Annex A 8.3 | Information access restriction | Check that access to information and other associated assets is restricted in accordance with the access control policy. | How to audit ISO 27001 Annex A 8.3 |
| ISO 27001 Annex A 8.4 | Access to source code | Audit the strict control of read and write access to source code, development tools, and software libraries. | How to audit ISO 27001 Annex A 8.4 |
| ISO 27001 Annex A 8.5 | Secure authentication | Verify the implementation of secure authentication technologies and procedures based on information sensitivity and risk. | How to audit ISO 27001 Annex A 8.5 |
| ISO 27001 Annex A 8.6 | Capacity management | Check that the use of resources is monitored and adjusted to ensure the required system performance. | How to audit ISO 27001 Annex A 8.6 |
| ISO 27001 Annex A 8.7 | Protection against malware | Audit the implementation of detection, prevention, and recovery controls to protect against malware. | How to audit ISO 27001 Annex A 8.7 |
| ISO 27001 Annex A 8.8 | Management of technical vulnerabilities | Verify that information about technical vulnerabilities is obtained, evaluated, and addressed quickly. | How to audit ISO 27001 Annex A 8.8 |
| ISO 27001 Annex A 8.9 | Configuration management | Check that configurations of hardware, software, services, and networks are established, documented, and enforced. | How to audit ISO 27001 Annex A 8.9 |
| ISO 27001 Annex A 8.10 | Information deletion | Audit the secure deletion of information stored in information systems, devices, or storage media when no longer required. | How to audit ISO 27001 Annex A 8.10 |
| ISO 27001 Annex A 8.11 | Data masking | Verify data masking is used in accordance with the organization’s access control policy and other requirements. | How to audit ISO 27001 Annex A 8.11 |
| ISO 27001 Annex A 8.12 | Data leakage prevention | Check that data leakage prevention measures are applied to systems, networks, and other devices processing sensitive information. | How to audit ISO 27001 Annex A 8.12 |
| ISO 27001 Annex A 8.13 | Information backup | Audit that backup copies of information, software, and system images are taken and tested regularly. | How to audit ISO 27001 Annex A 8.13 |
| ISO 27001 Annex A 8.14 | Redundancy of information processing facilities | Verify that information processing facilities have sufficient redundancy to meet availability requirements. | How to audit ISO 27001 Annex A 8.14 |
| ISO 27001 Annex A 8.15 | Logging | Check that logs recording user activities, exceptions, faults, and information security events are produced and kept. | How to audit ISO 27001 Annex A 8.15 |
| ISO 27001 Annex A 8.16 | Monitoring activities | Audit the monitoring of networks, systems, and applications for anomalous behavior and potential security incidents. | How to audit ISO 27001 Annex A 8.16 |
| ISO 27001 Annex A 8.17 | Clock synchronization | Verify that the clocks of all relevant information processing systems are synchronized to a single reference time source. | How to audit ISO 27001 Annex A 8.17 |
| ISO 27001 Annex A 8.18 | Use of privileged utility programs | Check that the use of utility programs that effectively override system and application controls is restricted and tightly controlled. | How to audit ISO 27001 Annex A 8.18 |
| ISO 27001 Annex A 8.19 | Installation of software on operational systems | Audit the procedures and controls for the installation of software on operational systems to prevent unauthorized changes. | How to audit ISO 27001 Annex A 8.19 |
| ISO 27001 Annex A 8.20 | Networks security | Verify that networks are managed and controlled to protect information in systems and applications. | How to audit ISO 27001 Annex A 8.20 |
| ISO 27001 Annex A 8.21 | Security of network services | Check the security mechanisms, service levels, and management requirements of all network services. | How to audit ISO 27001 Annex A 8.21 |
| ISO 27001 Annex A 8.22 | Segregation of networks | Audit the segregation of networks into groups of information services, users, and information systems. | How to audit ISO 27001 Annex A 8.22 |
| ISO 27001 Annex A 8.23 | Web filtering | Verify that access to external websites is managed to reduce exposure to malicious content. | How to audit ISO 27001 Annex A 8.23 |
| ISO 27001 Annex A 8.24 | Use of cryptography | Check the policy on the use of cryptographic controls for the protection of information. | How to audit ISO 27001 Annex A 8.24 |
| ISO 27001 Annex A 8.25 | Secure development lifecycle | Audit the establishment and application of rules for secure development of software and systems. | How to audit ISO 27001 Annex A 8.25 |
| ISO 27001 Annex A 8.26 | Application security requirements | Verify that information security requirements are identified, specified, and approved when developing or acquiring applications. | How to audit ISO 27001 Annex A 8.26 |
| ISO 27001 Annex A 8.27 | Secure system architecture and engineering principles | Check that principles for engineering secure systems are established, documented, maintained, and applied. | How to audit ISO 27001 Annex A 8.27 |
| ISO 27001 Annex A 8.28 | Secure coding | Audit the application of secure coding principles to software development to reduce vulnerabilities. | How to audit ISO 27001 Annex A 8.28 |
| ISO 27001 Annex A 8.29 | Security testing in development and acceptance | Verify that security testing is integrated into the development lifecycle and acceptance testing processes. | How to audit ISO 27001 Annex A 8.29 |
| ISO 27001 Annex A 8.30 | Outsourced development | Check that the organization supervises and monitors the activity of outsourced system development. | How to audit ISO 27001 Annex A 8.30 |
| ISO 27001 Annex A 8.31 | Separation of development, test and production environments | Audit the separation of development, testing, and production environments to reduce the risk of unauthorized changes or leakage. | How to audit ISO 27001 Annex A 8.31 |
| ISO 27001 Annex A 8.32 | Change management | Verify that changes to information processing facilities and systems are controlled via a formal change management process. | How to audit ISO 27001 Annex A 8.32 |
| ISO 27001 Annex A 8.33 | Test information | Check that test information is selected, protected, and managed to prevent the exposure of operational data. | How to audit ISO 27001 Annex A 8.33 |
| ISO 27001 Annex A 8.34 | Protection of information systems during audit testing | Audit the controls ensuring that audit tests do not disrupt business operations or compromise system availability. | How to audit ISO 27001 Annex A 8.34 |
Frequently Asked Questions about Auditing ISO 27001
Q: Can I audit my own work for ISO 27001? A: No. ISO 27001 Clause 9.2 explicitly requires impartiality. You cannot mark your own homework. If you implemented the control, you cannot audit it. You need a colleague from a different department or an external consultant to do it. Don’t risk a major non-conformity over this.
Q: What is the difference between an Internal Audit and a Certification Audit? A: An Internal Audit is a dress rehearsal. It’s you (or a consultant) checking your own systems to find gaps before the external auditor arrives. A Certification Audit is the main event where an accredited body (like BSI or SGS) comes in to decide if you get the certificate on the wall. You must complete a full cycle of internal audits before the certification auditor steps foot in the building.
Q: Do I need to audit every single Annex A control every year? A: Technically, no, but you’re playing a dangerous game if you don’t. The standard says you need to audit based on “risk and importance.” However, for your first certification, you should absolutely audit everything to ensure your Statement of Applicability is actually true. Over time, you can audit high-risk areas more frequently and low-risk areas less often (e.g., every 3 years), but start with 100% coverage.
Q: What is the most common failure in an ISO 27001 audit? A: Lack of evidence. Auditors don’t trust; they verify. You can tell them you have a “robust incident management process,” but if you can’t show them a log of incidents, a ticket history, or a “lessons learned” report, you fail. If it isn’t written down or recorded, it didn’t happen.
Q: How do I audit “Leadership” (Clause 5)? A: You interview top management. You don’t send them a questionnaire. You sit them down and ask them about the ISMS policy, their role in supporting it, and how they ensure resources are available. If the CEO doesn’t know what the Information Security Policy is, you raise a finding. It’s that simple.
About the author
