The ISO 27001 Clause 8.3 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of ISO 27001 Clause 8.3 Information Security Risk Treatment.
The 10 point ISO 27001 audit plan sets out what to audit, the challenges faced and the audit techniques to adopt.
With over 30 years industry experience I will show you the audit checklist used by professional ISO 27001 Lead Auditors for ISO 27001 certification.
I am Stuart Barker, author of the Ultimate ISO 27001 Toolkit and this is the ISO 27001 Risk Treatment audit checklist.
Risk Assessment Linkage
Verify a clear link between the identified risks from the risk assessment (Clause 8.2) and the chosen risk treatment options. Treatments should directly address the assessed risks.
Challenges
Treatments not clearly linked to specific risks, generic treatments applied without considering the specific risk context.
Audit Techniques
Review risk registers and treatment plans, trace individual risks through to their corresponding treatments, interview risk owners to confirm understanding of the linkage.
Treatment Option Justification
Confirm that the rationale for selecting a specific risk treatment option is documented and justified. Simply stating the chosen option is insufficient; why that option was chosen is crucial.
Challenges
Lack of documented justification, justifications based on opinion rather than analysis, justifications that don’t consider all relevant factors.
Audit Techniques
Examine risk treatment documentation, interview risk owners and management, look for evidence of analysis that supports the chosen option (e.g., cost-benefit analysis, feasibility studies).
Control Implementation Evidence
Verify that the planned controls for mitigating risks have been implemented. This goes beyond just having a policy; it requires evidence of the control’s existence and operation.
Challenges
Policies exist but controls haven’t been implemented, controls implemented incorrectly, lack of evidence to demonstrate implementation.
Audit Techniques
Inspect physical controls, examine system configurations for technical controls, review staff training records for awareness controls, conduct penetration testing and vulnerability scanning, observe processes in action.
Control Effectiveness Testing
Ensure that controls are regularly tested to confirm they are operating effectively as intended. This should include both technical testing (e.g., penetration testing) and non-technical testing (e.g., process reviews).
Challenges
Infrequent or inadequate testing, testing not covering all critical controls, lack of documented test results.
Audit Techniques
Review penetration test reports, vulnerability scan results, audit logs, and other testing documentation. Observe control operation, interview staff about control procedures.
Resource Sufficiency
Verify that adequate resources (financial, human, technical) have been allocated to implement, operate, and maintain the risk treatments and associated controls.
Challenges
Insufficient budget, lack of skilled personnel, inadequate tools or technologies, resources diverted to other priorities.
Audit Techniques
Review budget documentation, resource allocation plans, project plans, and training records. Interview management and relevant staff about resource availability.
Residual Risk Acceptance
Where residual risk remains after treatment, confirm that it has been formally accepted by appropriate management. The level of residual risk should be documented and justified.
Challenges
Residual risk not formally documented, acceptance by inappropriate levels of management, lack of justification for the level of residual risk accepted.
Audit Techniques
Review risk registers and treatment plans for documented residual risk acceptance, interview management to confirm understanding and acceptance of residual risk.
Monitoring and Review Frequency
Ensure that the effectiveness of risk treatments and controls is monitored and reviewed at appropriate frequencies. The frequency should be based on the level of risk and the changing threat landscape.
Challenges
Infrequent or inadequate monitoring, monitoring frequency not aligned with risk level, lack of a defined monitoring schedule.
Audit Techniques
Review monitoring logs, incident reports, vulnerability scan results, and management review minutes. Interview risk owners and management about the monitoring process.
Metrics and Measurement
Verify that appropriate metrics are used to measure the effectiveness of risk treatments and controls. These metrics should be quantifiable and provide meaningful insights.
Challenges
Lack of defined metrics, metrics that are not relevant or measurable, data not collected or analysed effectively.
Audit Techniques
Review risk treatment plans and monitoring procedures, examine reports on control effectiveness, interview risk owners and management about the metrics used.
Continual Improvement of the Process
Ensure that the risk treatment process itself is subject to continual improvement. This includes learning from incidents, audit findings, and changes in the threat landscape.
Challenges
Lack of a formal process for continual improvement, failure to incorporate lessons learned, improvements not documented or implemented.
Audit Techniques
Review records of process improvement initiatives, interview management about improvement activities, examine how feedback from audits and incidents is used to update the risk treatment process.
Communication of Risk Treatment
Verify that information about identified risks and their treatment plans is communicated effectively to relevant stakeholders.
Challenges
Inadequate communication, communication not reaching the right stakeholders, information not communicated in a timely manner or in an understandable format.
Audit Techniques
Review communication plans, interview stakeholders about their understanding of risks and treatments, examine evidence of communication (e.g., meeting minutes, reports, emails). Assess the effectiveness of communication by asking stakeholders about their awareness of key risks and controls.
Further Reading
ISO 27001 Clause 8.3 Information Security Risk Treatment
