The ISO 27001 Clause 6.1 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of
- ISO 27001 Clause 6.1.1 Planning General
- ISO 27001 Clause 6.1.2 Information Security Risk Assessment
- ISO 27001 Clause 6.1.3 Information Security Risk Treatment
The 10 point ISO 27001 audit plan per sub clause sets out what to audit, the challenges faced and the audit techniques to adopt.
ISO 27001 Clause 6.1.1 Planning General Audit
ISO 27001 Clause 6.1.1 Audit Checklist:
Review the Risk Assessment Methodology
Verify the existence and appropriateness of a documented risk assessment methodology.
Challenges
Methodology may be outdated, not aligned with current best practices, or too complex to be effectively implemented. It might not address emerging threats or specific industry requirements. Lack of consistent application of the methodology across the organisation.
Audit Techniques
Document review (policies, procedures), interviews with risk management personnel, comparison against ISO 31000 principles, observation of a risk assessment in progress.
Examine Risk Registers and Documentation
Inspect the risk register for completeness, accuracy, and evidence of risk analysis (likelihood and impact).
Challenges
Risk register may be incomplete, containing outdated or inaccurate information. Risk analysis may be superficial, lacking sufficient detail to inform decision-making. Difficulty in quantifying likelihood and impact. Risk appetite may not be clearly defined.
Audit Techniques
Document review (risk register, risk assessment reports), data analysis (trends in risk levels), sampling of risk entries for detailed review, interviews with risk owners.
Evaluate the Identification of Opportunities
Confirm the process for identifying opportunities for ISMS improvement.
Challenges
Lack of a formal process for identifying opportunities. Opportunities may be overlooked or not prioritised effectively. Resistance to change or a lack of resources to implement improvements. Difficulty in measuring the potential benefits of opportunities.
Audit Techniques
Interviews with management and staff, analysis of improvement logs and project proposals, review of strategic planning documents.
Assess the Risk Treatment Process
Verify the defined process for selecting and implementing risk treatment options.
Challenges
Risk treatment process may be inadequate, failing to consider all available options. Decisions may be made based on cost rather than effectiveness. Lack of clear criteria for selecting risk treatments. Difficulty in balancing security with business needs.
Audit Techniques
Document review (policies, procedures), interviews with risk management personnel, review of risk treatment decisions and their rationale, walkthrough of a risk treatment selection process.
Evaluate Opportunity Implementation Plans
Review plans for implementing identified opportunities.
Challenges
Implementation plans may be incomplete, lacking clear timelines, responsibilities, or resource allocation. Projects may be delayed or cancelled due to competing priorities. Difficulty in managing the implementation of multiple opportunities simultaneously.
Audit Techniques
Document review (project plans, implementation schedules), interviews with project managers, review of resource allocation documentation, observation of opportunity implementation activities.
Verify the Establishment of Objectives
Confirm the existence of SMART objectives for risk treatment and opportunity implementation.
Challenges
Objectives may be vague, unmeasurable, or not aligned with strategic goals. Difficulty in tracking progress towards objectives. Lack of ownership for achieving objectives.
Audit Techniques
Document review (ISMS objectives, risk treatment plans), interviews with management, analysis of performance metrics and reports, review of strategic plans.
Examine Risk Treatment and Opportunity Implementation Plans
Inspect documented plans for details on chosen options, implementation steps, responsibilities, and timelines.
Challenges
Plans may lack sufficient detail, making it difficult to implement them effectively. Responsibilities may be unclear, leading to confusion and delays. Timelines may be unrealistic or not adhered to.
Audit Techniques
Document review (risk treatment plans, project plans), walkthrough of an implementation plan, interviews with responsible parties, review of change management records.
Review Evidence of Implementation
Gather evidence of implemented risk treatments and opportunity implementation plans.
Challenges
Difficulty in obtaining sufficient evidence to demonstrate implementation. Evidence may be incomplete or inaccurate. Lack of clear documentation of implementation activities.
Audit Techniques
Document review (policies, procedures, training records, system configurations, test results), observation of processes, interviews with staff, penetration testing (for technical controls).
Evaluate Communication and Consultation
Check processes for communicating risk and opportunity information to stakeholders.
Challenges
Communication may be inadequate, failing to reach all relevant stakeholders. Information may be too technical or difficult to understand. Lack of feedback mechanisms to assess communication effectiveness.
Audit Techniques
Interviews with stakeholders, review of communication logs and meeting minutes, analysis of communication effectiveness surveys, review of stakeholder feedback mechanisms.
Assess the Effectiveness of Actions
Evaluate the effectiveness of implemented actions in achieving objectives.
Challenges
Difficulty in measuring the effectiveness of actions. Lack of clear metrics or performance indicators. Changes in the business environment may make it difficult to assess the impact of actions.
Audit Techniques
Analysis of performance data (e.g., incident rates, vulnerability scan results), review of management review outputs, interviews with management and staff, benchmarking against industry best practices.
ISO 27001 Clause 6.1.2 Information Security Risk Assessment Audit
ISO 27001 Clause 6.1.2 Audit Checklist:
Review the Risk Assessment Methodology
Verify the existence and appropriateness of a documented methodology for identifying, analysing, and evaluating risks.
Challenges
Methodology might be generic and not tailored to the organisation’s specific context. It may not address emerging risk types (e.g., supply chain risks, AI-related risks). Difficulties in consistently applying the methodology across different departments or teams.
Audit Techniques
Document review (policies, procedures), interviews with risk management personnel, comparison against ISO 31000 principles, observation of a risk assessment in progress.
Examine the Scope Definition
Ensure the risk assessment scope is clearly defined and comprehensive, covering all relevant assets, processes, and locations.
Challenges
Defining the boundaries of the scope can be difficult, especially for complex organisations. Scope creep can occur, making the risk assessment process unmanageable. Omitting key assets or processes due to oversight or misunderstanding.
Audit Techniques
Document review (scope definition document), interviews with interested parties across different departments, review of asset inventory and process maps, site visits to verify physical locations are included.
Evaluate the Asset Identification Process
Verify the process for identifying and cataloguing information assets, including data, software, hardware, and physical resources.
Challenges
Difficulty in identifying all information assets, especially intangible assets like knowledge and reputation. Maintaining an up-to-date asset register in a dynamic environment. Inconsistent asset classification and labelling.
Audit Techniques
Document review (asset register, data flow diagrams), interviews with asset owners, review of automated asset discovery tools output, sampling of assets to verify their inclusion in the inventory.
Assess Threat Identification
Verify the process for identifying potential threats, including both internal and external threats, and emerging threats.
Challenges
Keeping up with the ever-evolving threat landscape. Difficulty in identifying insider threats. Over-reliance on known threats and neglecting emerging ones.
Audit Techniques
Interviews with security experts and threat intelligence analysts, review of threat intelligence feeds and reports, analysis of incident history, review of threat modelling exercises.
Evaluate Vulnerability Identification
Verify the process for identifying weaknesses in the ISMS that could be exploited by threats.
Challenges
Vulnerability scanning tools might not detect all vulnerabilities. Penetration testing can be costly and time-consuming. Difficulty in remediating identified vulnerabilities due to resource constraints or technical limitations.
Audit Techniques
Review of vulnerability scanning and penetration testing reports, analysis of security audit findings, review of code review results, interviews with technical staff.
Assess Likelihood Analysis
Verify the process for estimating the likelihood of threats occurring, including the criteria and data used for estimations.
Audit Techniques
Review of risk assessment documentation, interviews with risk assessors, analysis of historical data and industry trends, review of likelihood scales and their justification.
Challenges
Estimating likelihood can be subjective and based on limited data. Difficulty in predicting the likelihood of rare but high-impact events. Inconsistent application of likelihood scales.
Evaluate Impact Analysis
Verify the process for estimating the potential impact of successful threat exploits, including the criteria and data used for estimations.
Challenges
Quantifying the impact of intangible losses, such as reputational damage. Difficulty in estimating the cascading effects of a security breach. Lack of coordination between technical and business teams in impact assessment.
Audit Techniques
Review of risk assessment documentation, interviews with business impact analysis (BIA) team, analysis of potential financial, operational, legal, and reputational impacts, review of impact scales and their justification.
Examine Risk Evaluation and Prioritisation
Verify the process for combining likelihood and impact to determine risk levels and prioritise risks.
Audit Techniques
Review of risk matrix or other risk assessment tool, analysis of risk levels assigned to different risks, interviews with risk management personnel, review of risk acceptance criteria.
Challenges
Risk matrices can oversimplify risk assessment. Difficulty in comparing risks with different types of impact. Lack of clear risk acceptance criteria.
Review Risk Assessment Documentation
Inspect the risk register or equivalent documentation for completeness, accuracy, and consistency.
Challenges
Maintaining up-to-date and accurate risk registers. Risk information might be scattered across different systems and documents. Difficulty in extracting meaningful insights from risk data.
Audit Techniques
Document review (risk register, risk assessment reports), data analysis (trends in risk levels), sampling of risk entries for detailed review, interviews with risk owners.
Assess the Review and Update Process:
Verify the process for regularly reviewing and updating the risk assessment to reflect changes in the threat landscape, vulnerabilities, and business environment.
Challenges
Risk assessments might not be updated frequently enough. Lack of clear triggers for reviewing the risk assessment. Difficulty in incorporating lessons learned from security incidents into the risk assessment process.
Audit Techniques
Review of risk assessment update schedule, interviews with risk management personnel, review of change management records, analysis of how new threats and vulnerabilities are incorporated into the risk assessment.
ISO 27001 Clause 6.1.3 Information Security Risk Treatment Audit
ISO 27001 Clause 6.1.3 Audit Checklist:
Review Risk Treatment Options Identification
Verify the organisation has a process for identifying appropriate risk treatment options (modification, transfer, avoidance, acceptance).
Challenges
Limited understanding of available treatment options, difficulty in quantifying the impact of different treatments, bias towards familiar solutions. Risk owners might not be engaged in the process.
Audit Techniques
Document review (policies, procedures), interviews with risk management personnel, review of past risk treatment decisions and their rationale, walkthrough of a risk treatment identification process.
Assess Risk Treatment Selection
Ensure the organisation has criteria for selecting risk treatment options, considering factors like cost, feasibility, and business objectives.
Challenges
Lack of clear criteria, inconsistent application of criteria, pressure to choose the cheapest option rather than the most effective. Difficulty in demonstrating the link between treatment selection and business objectives.
Audit Techniques
Document review (risk acceptance criteria, cost-benefit analysis templates), interviews with decision-makers, examination of selected risk treatments and their justification, analysis of resource allocation for different treatments.
Examine Risk Treatment Plans
Verify the existence and completeness of risk treatment plans, including specific actions, responsibilities, timelines, and resources.
Challenges
Plans might be incomplete, unrealistic, or not properly communicated. Lack of clear ownership and accountability for implementation. Difficulty in tracking progress against timelines.
Audit Techniques
Document review (risk treatment plans, project plans), interviews with project managers and responsible parties, review of resource allocation documentation, walkthrough of a risk treatment plan.
Evaluate Risk Treatment Implementation
Confirm that risk treatment plans have been implemented as documented.
Challenges
Implementation might be delayed, incomplete, or not performed as planned. Lack of evidence to demonstrate effective implementation. Resistance to change from staff.
Audit Techniques
Document review (implementation records, change management logs, training records), observation of processes, interviews with staff, testing of implemented controls (e.g., penetration testing for technical controls).
Assess Monitoring and Review of Risk Treatments
Verify the organisation monitors the effectiveness of implemented risk treatments and reviews them regularly.
Challenges
Monitoring might be inadequate, infrequent, or not linked to the original risk assessment. Lack of clear metrics for measuring effectiveness. Difficulty in demonstrating the value of risk treatments.
Audit Techniques
Review of performance data (e.g., incident rates, vulnerability scan results), interviews with staff responsible for monitoring, review of management review outputs, examination of risk treatment review records.
Examine Risk Treatment Documentation
Inspect records of risk treatment decisions, chosen options, rationale, implementation plans, and monitoring results for completeness and accuracy.
Challenges
Documentation might be incomplete, inaccurate, or out of date. Difficulty in maintaining version control. Lack of a central repository for risk treatment information.
Audit Techniques
Document review (risk register, risk treatment reports), data analysis (trends in risk treatment effectiveness), sampling of risk treatment records for detailed review, interviews with risk owners.
Evaluate Communication of Risk Treatment Information
Verify that risk treatment information is communicated to relevant stakeholders.
Challenges
Communication might be ineffective, inconsistent, or not targeted to the right audience. Lack of feedback mechanisms to assess communication effectiveness. Difficulty in translating technical information into business terms.
Audit Techniques
Interviews with stakeholders, review of communication logs and meeting minutes, analysis of communication effectiveness surveys, review of stakeholder feedback mechanisms.
Assess Acceptance of Residual Risks
Confirm that residual risks (risks remaining after treatment) are formally accepted by management.
Challenges
Management might not fully understand the residual risks. Acceptance might be implicit rather than explicit. Lack of clear criteria for accepting residual risks.
Audit Techniques
Review of risk acceptance documentation, interviews with management, examination of residual risk levels and their justification, review of risk acceptance criteria.
Evaluate Maintenance and Update of Risk Treatments
Verify that risk treatments are regularly reviewed and updated to reflect changes in the threat landscape, vulnerabilities, and business environment.
Challenges
Reviews might be infrequent or not triggered by changes in the environment. Difficulty in assessing the impact of changes on risk treatments. Lack of a process for updating risk treatments.
Audit Techniques
Review of risk treatment update schedule, interviews with risk management personnel, review of change management records, analysis of how new threats and vulnerabilities are incorporated into risk treatment reviews.
Assess Continuous Improvement of Risk Treatment Processes
Verify that the organisation seeks opportunities to improve the effectiveness and efficiency of its risk treatment processes.
Challenges
Lack of metrics to measure the effectiveness of risk treatment processes. Limited resources for process improvement initiatives. Resistance to change from staff.
Audit Techniques
Interviews with risk management personnel, review of process improvement initiatives, analysis of metrics related to risk treatment effectiveness, benchmarking against industry best practices.
Further Reading
ISO 27001 Clause 6.1.1 Planning General
ISO 27001 Clause 6.1.2 Information Security Risk Assessment
ISO 27001 Clause 6.1.3 Information Security Risk Treatment
