ISO 27001 Clause 6.2 Audit Checklist

Home / ISO 27001 / ISO 27001 Lead Auditor / ISO 27001 Clause 6.2 Audit Checklist

The ISO 27001 Clause 6.2 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them.

The 10 point ISO 27001 audit plan sets out what to audit, the challenges faced and the audit techniques to adopt.

With over 30 years industry experience I will show you the audit checklist used by professional ISO 27001 Lead Auditors for ISO 27001 certification.

I am Stuart Barker, author of the Ultimate ISO 27001 Toolkit and this is the ISO 27001 Objectives audit checklist.

Review Information Security Objectives

Verify that the organisation has established documented information security objectives.

Challenges

Objectives might be missing, poorly documented, or not readily accessible. There might be a disconnect between documented objectives and actual practice. Objectives might be too numerous and overwhelming, or too few and not comprehensive enough.

Audit Techniques

Document review (ISMS objectives document, strategic plans), interviews with top management and information security management, comparison of objectives against the ISMS policy.

Assess SMART Objectives

Ensure that the objectives are Specific, Measurable, Achievable, Relevant, and Time-bound (SMART).

Challenges

Objectives might be vague, lacking clear metrics, or have unrealistic timelines. Achievability and relevance might not be properly assessed. Metrics might be collected inconsistently or not at all.

Audit Techniques

Document review (objectives documentation), interviews with those responsible for achieving the objectives, analysis of objective statements for clarity and measurability, review of metrics and KPIs associated with objectives.

Evaluate Alignment with ISMS Policy

Verify that the information security objectives are consistent with the ISMS policy.

Challenges

The ISMS policy itself might be outdated or unclear. Objectives might have drifted from the original policy intent. There may be a lack of understanding about how the policy relates to the objectives.

Audit Techniques

Document review (ISMS policy and objectives documentation), interviews with top management, analysis of the relationship between policy statements and objectives.

Assess Consideration of Risks and Requirements

Ensure that the objectives consider identified information security risks and applicable legal, regulatory, and contractual requirements.

Challenges

Risk assessments may be out of date or incomplete. Legal and regulatory requirements might not be fully identified or understood. Contractual obligations might be overlooked. The link between risks/requirements and the objectives might be weak.

Audit Techniques

Document review (risk assessment reports, legal and regulatory compliance documentation, contractual agreements), interviews with risk owners and legal/compliance personnel, analysis of how risks and requirements are addressed in the objectives.

Evaluate Resource Consideration

Verify that the objectives are realistic in terms of available resources (financial, human, technical).

Challenges

Resource allocation may be insufficient to achieve the objectives. Budgetary constraints might hinder progress. Resource planning might be inadequate or non-existent. There may be competition for resources with other projects.

Audit Techniques

Interviews with resource owners and budget holders, review of resource allocation plans and budgets, analysis of the feasibility of achieving objectives with available resources.

Examine Defined Responsibilities

Ensure that clear responsibilities are defined for achieving each objective.

Challenges

Roles and responsibilities might be unclear, overlapping, or missing. Individuals may not be aware of their responsibilities. Accountability for achieving objectives might be lacking.

Audit Techniques

Interviews with those responsible for achieving objectives, review of roles and responsibilities documentation, analysis of accountability for objective achievement.

Assess Established Timeframes

Verify that realistic timeframes are established for achieving each objective.

Challenges

Timeframes might be unrealistic or not aligned with project dependencies. Project planning might be inadequate. Changes in priorities might impact timelines. Progress tracking might be insufficient.

Audit Techniques

Review of objective implementation plans and schedules, interviews with project managers and those responsible for achieving objectives, analysis of timelines for feasibility.

Evaluate Measurement and Evaluation Methods

Ensure that methods for measuring and evaluating progress towards objectives are defined.

Challenges

Performance metrics might be inadequate or inappropriate. Data collection might be inconsistent or inaccurate. Reporting mechanisms might be ineffective. Analysis of data might be lacking.

Audit Techniques

Review of performance metrics and KPIs, interviews with those responsible for monitoring progress, examination of reporting mechanisms and dashboards, analysis of data collection and analysis procedures.

Assess Communication of Objectives

Verify that the information security objectives are communicated to relevant interested parties.

Challenges

Communication might be ineffective or inconsistent. Interested parties might not be identified or appropriately informed. Feedback mechanisms might be lacking. Communication might not be tailored to the audience.

Audit Techniques

Interviews with interested parties at different levels, review of communication plans and records, analysis of communication effectiveness, examination of awareness training materials.

Evaluate Monitoring and Review of Objectives

Ensure that the objectives are regularly monitored and reviewed to ensure they remain relevant and appropriate.

Challenges

Monitoring and review might be infrequent or inadequate. Changes in the business environment might not be reflected in the objectives. The review process might not be effective in identifying necessary adjustments.

Audit Techniques

Review of management review outputs, interviews with top management and information security management, examination of objective review records, analysis of the frequency and effectiveness of objective reviews.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Clause 6.2 Audit Checklist

Review Information Security Objectives

Challenges

Audit Techniques

Assess SMART Objectives

Challenges

Audit Techniques

Evaluate Alignment with ISMS Policy

Challenges

Audit Techniques

Assess Consideration of Risks and Requirements

Challenges

Audit Techniques

Evaluate Resource Consideration

Challenges

Audit Techniques

Examine Defined Responsibilities

Challenges

Audit Techniques

Assess Established Timeframes

Challenges

Audit Techniques

Evaluate Measurement and Evaluation Methods

Challenges

Audit Techniques

Assess Communication of Objectives

Challenges

Audit Techniques

Evaluate Monitoring and Review of Objectives

Challenges

Audit Techniques

Further Reading

Free 30 minute ISO 27001 strategy session.