ISO 27001 Clause 7.5 Audit Checklist

Home / ISO 27001 / ISO 27001 Lead Auditor / ISO 27001 Clause 7.5 Audit Checklist

The ISO 27001 Clause 7.15 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of

The 10 point ISO 27001 audit plan per sub clause sets out what to audit, the challenges faced and the audit techniques to adopt.

With over 30 years industry experience I will show you the audit checklist used by professional ISO 27001 Lead Auditors for ISO 27001 certification.

I am Stuart Barker, author of the Ultimate ISO 27001 Toolkit and this is the ISO 27001 Documented Information audit checklist.

ISO 27001 Clause 7.5.1 Documented Information Audit

Documented Information Control

The organisation should have a documented procedure for controlling all documented information required by the ISMS. This includes approval, review, updating, and access control.

Challenges:

Maintaining version control, ensuring only approved versions are available, and managing the distribution and retrieval of documents.

Audit Techniques:

Review the documented procedure for document control, examine records of document approvals and revisions, and check the system for managing document access.

Identification and Description

Documented information should be appropriately identified and described (e.g., title, author, version number).

Challenges:

Maintaining consistency in naming conventions, ensuring documents are easily searchable, and avoiding duplication.

Audit Techniques:

Review a sample of documented information to verify proper identification and description, and check the document management system for consistency.

Format and Media

The organisation should define the appropriate format and media for documented information (e.g., electronic, paper).

Challenges:

Ensuring compatibility across different systems, managing different media types, and considering accessibility requirements.

Audit Techniques:

Review the organisation’s policy on document format and media, examine examples of different document formats, and check for accessibility considerations.

Review and Approval

Documented information should be reviewed and approved by authorised personnel before being issued.

Challenges:

Ensuring reviews are conducted by subject matter experts, managing the review and approval process efficiently, and maintaining records of approvals.

Audit Techniques:

Examine records of document reviews and approvals, interview staff responsible for reviewing and approving documents, and check the approval workflow.

Availability and Access

Documented information should be readily available to those who need it.

Challenges:

Providing access to the right people, managing access permissions, and ensuring availability even during system outages.

Audit Techniques:

Review access control lists, interview staff about their access to documented information, and test the availability of documents in different scenarios.

Control of Changes

Changes to documented information should be controlled and authorised.

Challenges:

Preventing unauthorised changes, tracking revisions, and communicating changes to relevant stakeholders.

Audit Techniques:

Review the change management process for documented information, examine records of changes, and interview staff about how changes are communicated.

Version Control

Documented information should have clear version control, so that the current version is easily identifiable.

Challenges:

Avoiding confusion between different versions, managing a large number of versions, and ensuring obsolete versions are removed.

Audit Techniques:

Examine version numbers and dates on documents, check the document management system for version control features, and verify the process for retiring obsolete documents.

Storage and Protection

Documented information should be stored and protected to prevent loss, damage, or unauthorised access.

Challenges:

Implementing appropriate security measures, managing physical and electronic storage, and ensuring business continuity.

Audit Techniques:

Review security controls for document storage, examine physical storage locations, and check backup and recovery procedures for electronic documents.

Retention and Disposal

The organisation should have a policy for retaining and disposing of documented information.

Challenges:

Complying with legal and regulatory requirements, managing storage space, and securely disposing of sensitive information.

Audit Techniques:

Review the document retention and disposal policy, examine records of document disposal, and check the security of disposal methods.

External Documents

The organisation should control external documents that are relevant to the ISMS.

Challenges:

Identifying and managing relevant external documents, ensuring they are up to date, and controlling their distribution.

Audit Techniques:

Identify key external documents (e.g., standards, legislation), check their availability and version control, and review the process for incorporating them into the ISMS

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information Audit

Purpose of Documented Information

Before creating or updating documented information, the purpose and intended use should be clearly defined.

Challenges:

Ensuring the purpose is aligned with ISMS objectives and that the level of detail is appropriate for the intended audience. Avoiding creation of unnecessary documentation.

Audit Techniques:

Review documented procedures for creating/updating information. Interview document authors/owners to understand the purpose of specific documents. Examine a sample of documents and their stated purpose.

Suitability of Documented Information

The documented information should be suitable, adequate, and effective for its intended purpose.

Challenges:

Maintaining accuracy, completeness, and consistency of information. Ensuring it’s easily understood and usable by the target audience.

Audit Techniques:

Review documents for clarity, accuracy, and completeness. Interview users to assess their understanding and usability of the information. Compare information across related documents for consistency.

Identification of Changes

Changes to documented information should be clearly identified.

Challenges:

Tracking revisions effectively, highlighting changes made, and ensuring the audit trail is maintained.

Audit Techniques:

Examine document version histories, change logs, or tracked changes within documents. Interview document owners about the process for identifying changes.

Authorisation of Changes

Changes to documented information should be authorised by appropriate personnel.

Challenges:

Establishing clear authorisation levels, ensuring timely approvals, and preventing unauthorised modifications.

Audit Techniques:

Review documented approval processes. Examine records of approvals for recent changes. Interview document approvers about their responsibilities.

Review of Documented Information

Documented information should be reviewed periodically or when significant changes occur.

Challenges:

Defining appropriate review frequency, ensuring reviews are conducted by subject matter experts, and managing the review process efficiently.

Audit Techniques:

Review document review schedules and records. Interview document reviewers about the review process and criteria. Examine a sample of reviewed documents.

Control of Obsolete Documents

Obsolete documented information should be controlled to prevent unintended use.

Challenges:

Identifying and removing obsolete documents, communicating the status of documents, and managing archived information.

Audit Techniques:

Check the document management system for controls over obsolete documents. Examine procedures for archiving and retrieving obsolete information.

Availability of Current Versions

Only current approved versions of documented information should be readily available to relevant users.

Challenges:

Preventing access to outdated information, managing distribution of documents, and ensuring availability across different locations.

Audit Techniques:

Verify access controls to current versions of documents. Interview users about their access to information. Test the retrieval process for current documents.

Document Format and Media

The organisation should define the appropriate format and media for documented information.

Challenges:

Maintaining compatibility across different systems, managing different media types (e.g., electronic, paper), and considering accessibility needs.

Audit Techniques:

Review the organisation’s policy on document format and media. Examine examples of different document formats. Check for accessibility considerations.

Document Identification and Description

Documented information should be clearly identified and described (e.g., title, author, version number).

Challenges:

Maintaining consistency in naming conventions, ensuring documents are easily searchable, and avoiding duplication.

Audit Techniques:

Review a sample of documented information to verify proper identification and description. Check the document management system for consistency.

Document Storage and Protection

Documented information should be stored and protected to prevent loss, damage, or unauthorised access.

Challenges:

Implementing appropriate security measures, managing physical and electronic storage, and ensuring business continuity.

Audit Techniques:

Review security controls for document storage. Examine physical storage locations. Check backup and recovery procedures for electronic documents.

ISO 27001 Clause 7.5.3 Control of Documented Information Audit

Document Approval

Ensuring documented information is reviewed and approved by authorised personnel before issue.

Challenges:

Defining appropriate authorisation levels, ensuring timely approvals, and preventing unauthorised release.

Audit Techniques:

Review documented approval processes, examine records of approvals, and interview document approvers.

Document Review and Update

Regular review and update of documented information to maintain its suitability, adequacy, and effectiveness.

Challenges:

Defining review frequency, ensuring reviews are conducted by subject matter experts, and managing the update process efficiently.

Audit Techniques:

Review document review schedules and records, interview reviewers, and examine updated documents.

Version Control

Maintaining clear version control to ensure the correct version is used.

Challenges:

Preventing confusion between versions, managing a large number of versions, and retiring obsolete versions.

Audit Techniques:

Examine version numbers and dates, check document management system features, and verify the process for retiring obsolete documents.

Availability at Point of Use

Ensuring current versions of documented information are readily available to those who need them.

Challenges:

Providing access to the right people, managing access permissions, and ensuring availability across different locations.

Audit Techniques:

Verify access controls, interview users about access, and test document retrieval.

Legibility and Identifiability

Documented information should be legible and easily identifiable.

Challenges:

Maintaining consistent formatting, ensuring readability across different media, and managing document metadata.

Audit Techniques:

Examine documents for legibility and consistent formatting, and check document metadata.

Control of Changes

Changes to documented information should be controlled and authorised

Challenges:

Preventing unauthorised changes, tracking revisions, and communicating changes effectively.

Audit Techniques:

Review change management processes, examine change records, and interview staff about communication of changes.

Control of Obsolete Documents

Obsolete documented information should be controlled to prevent unintended use.

Challenges:

Identifying and removing obsolete documents, communicating document status, and managing archived information.

Audit Techniques:

Check the document management system for controls over obsolete documents, and examine procedures for archiving and retrieval.

Storage and Protection

Documented information should be stored and protected to prevent loss, damage, or unauthorised access.

Challenges:

Implementing security measures, managing physical and electronic storage, and ensuring business continuity.

Audit Techniques:

Review security controls, examine storage locations, and check backup and recovery procedures.

Retention and Disposal

Policies for retaining and disposing of documented information.

Challenges:

Complying with legal requirements, managing storage space, and securely disposing of sensitive information.

Audit Techniques:

Review retention and disposal policies, examine disposal records, and check the security of disposal methods.

External Documents

Control of external documents relevant to the ISMS.

Challenges:

Identifying and managing relevant documents, ensuring they are up to date, and controlling distribution.

Audit Techniques:

Identify key external documents, check availability and version control, and review the process for incorporating them.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.