ISO/IEC 27001:2022 Clause Wise Audit Checklist

ISO/IEC
27001:2022 Questions/Checkpoints
Clause No.
4. Context of the organization
4.1 Understanding the organization and its context
 Have you determined external and internal issues in the information security
1 management system (ISMS)?

 Are these issues relevant to the purpose and ability of the organization to achieve
2 intended outcome of information security management system (ISMS)?

 Have you considered the context of the organization’s overall business activities?
3 Does ISMS scope cover all the activities or any exclusion for any areas or functions?

4.2 Understanding the needs and expectations of interested parties

 How many interested parties are there which are relevant to your information security
1 management system?

 What are the requirements of interested parties in information security management

2 system?

 Have you included legal requirement, regulatory requirement and contractual

3 obligations in the requirements of interested parties?

 Have you defined any other IS requirements of the organization?

4

 Have you analyzed which of the interested party requirements must be addressed
5 through the ISMS?

4.3 Determining the scope of the information security management system

Have you determined the boundaries and applicability of the information security
management system?
Have you documented the scope of the information security management systemof your
organization?
 Have you considered external and internal issues when determining the scope of the
a) organization?

Have you considered any requirement of interested parties in the scope?
b)

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

 Have you considered interfaces and dependencies between activities performed by

c) the organization and other organization?

Do you have a separate document available for ISMS scope?
d)
 Have you prepared information security management system manual including ISMS
e) scope?
4.4 Information security management System
Have you established and implemented ISMS in accordance with ISO/IEC 27001:2022?
How did you establish the ISMS?
How do you maintain ISMS in your organization? What kind of documentation structure is
made by you?
How do you bring continual improvement in information security management system in
accordance with this international standard?
Have you planned for processes and their interactions as part of the information security
management system?

5. Leadership
5.1 Leadership and commitment
 How the top management is demonstrating commitment to ISMS?
 Has the Top Management signed and established an ISMS policy? Has he approved
a ISMS objectives? Is he active in formulation of ISMS policy and objectives? Are the
ISMS objectives in line with strategic direction of the organization?

How do you ensure the integration of the information security management system
b
requirement with the organization processes?

How do you ensure that the resources needed for information security management
 systems (ISMS) are available? If any resources are lacking then whom do you
c contact? What is the formal process for getting approval of resources? How do you
carry out capacity planning and budget approval to get management approval for
resources related to information security management system?
 Have you communicated ISMS system requirements in the organization?Do you
communicate the importance of effective information security management system
d
implementation and its benefits? What is/are the method(s) followed for
communication? Is it documented?

e How do you ensure that ISMS achieves its intended outcome?

 How many people are directing and supporting to contribute to the effectiveness of

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

f) ISMS system? Have you defined related ISMS supporting team?


g How do you promote continual improvement?

 What are the roles of the other areas of management? How do you support and
h demonstrate leadership for ISMS? How do you demonstrate your leadership and
commitment for ISO 27001 ISMS system?

5.2 Policy

Have you established an information security policy?


Is information security policy appropriate to the purpose of the organization?

 What is the framework for setting up the ISMS objectives? Where do you document the
ISMS objectives?

 Have you included the commitment to satisfy applicable requirements related to

information security in the IS policy?

Does your information security policy ensure commitment for continual improvement of
the information security management system? How do you track the continual

improvement? What benefits are achieved by you by implementing this ISO
27001:2022 standard?
 How do you communicate information security policy within the organization?
Have you prepared information security policy and kept it on notice board? Is it
 available as documented information for all the employees and interested parties? How
is it made available?
 How do you provide the information security policy to the interested parties?

5.3 Organizational roles, responsibilities and authorities

Have the responsibilities and authorities for roles relevant to information security been
assigned and communicated within the organization?
Have you prepared documented job description including responsibilities and authorities for
roles relevant to information security? Is the job description approved by the top
management?
In the job description have you defined clearly the authorities and responsibilities of all
concerned person for how they contribute to meet the requirements of ISO 27001:2022

standard? Are the roles clearly defined in job description to avoid conflict? Are the
authorities and responsibilities communicated to concerned employees?
Have you defined responsibilities and authorities for reporting performance of the ISMS
 within organization? Do you report the performance of the information security
management system to top management? How it is reported and who is responsible?

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

6. Planning
6.1 Action to address risks and opportunities
6.1.1 General
When planning for the information security management system, have you considered the
internal and external issues referred to in 4.1 and the requirements of interested parties
referred to in 4.2 and determined the risks and opportunities that need to be addressed?
How do you ensure the information security management system can achieve its

intended outcome?
 How do you prevent, or reduce, undesired effects related to risk?
 How do you achieve continual improvement?
How do you plan actions to address these risks and opportunities? How do you
 integrate and implement these actions into information security management system
processes?
How do you evaluate actions for the effectiveness of the actions related to risk and

opportunity?
 What do you evaluate to ensure the effectiveness action?
6.1.2 Information security risk assessment
How do you define an information security risk assessment process?
How do you establish and maintain information security risk criteria? Have you
 included the risk acceptance criteria? Where have you included it? Who is responsible
to do risk assessment?
How do you determine the criteria for performing information security risk assessment?
How do you ensure that repeated information security risk assessment produce

consistent, valid and comparable results?
How do you identify the information security risks? How do you apply the information
security risk assessment process to identify risks associated with the loss of
confidentiality, integrity and availability of information within the scope of the ISMS?
 Where have you defined the information security risk assessment process?
Have you identified risk owners? How do you identify the risk owners? Where have you
identified the risk owners?
How do you analyze the information security risks?
When do you assess the potential consequences that would result if the risks identified
and materialized? How do you assess such risk? Where is it kept in documented
information?
How do you assess the realistic likelihood of the occurrence of the risks identified?
 What are the criteria to determine the levels of risk? How do you identify the risk level?
Who is responsible for the same?
How do you evaluate the information security risk?
How do you compare the analyzed risks with the risk criteria established? How do you
establish priorities for treatment? How do you implement the risk treatment?
Where do you retain documented information about the information security risk
assessment process? Who is authorized to establish control and update the same?
What is the frequency of updating the information risk assessment?

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

Do you compare the results related to the risk analysis with the risk criteria
 established?
Do you evaluate information security risk?
Have you documented analysis of risk and risk treatment?
6.1.3 Information security risk treatment
How do you apply an information security risk treatment process?
How do you select information security risk treatment options? What are the items

considered in information security risk treatment? Have you taken account of the risk
assessment results?
How do you determine controls that are necessary to implement the information
 security risk treatment option? Have you considered all the controls? What are the
sources of considering the controls and how do you implement such controls?
Have you reviewed the controls given in the Annexure-A of ISO 27001:2022 standard
during implementing various controls in your organization? How do you verify no
 necessary controls from such list are missed out in SOA? If you are not considering
any controls then have you justified the exclusion of the same? What are the
objectives, other than those specified in the Annexure A, that you have selected?
Have you produced a Statement of Applicability with list of necessary controls? Have
you given the justification for inclusions of such controls? Where? Have you given the
justification for exclusions of controls given in Annex A? Where it is given? Are any

controls implemented partially? Why? Is there any control from Annexure A that is not
applicable to you? What are such controls and where are they provided in documented
information?
Have you formulated an information security risk treatment plan? Where? Is this risk

treatment plan covered in documented information of controls?
How do you obtain risk owner’s approval of the information security risk treatment
plan? Who had approved it and when? Have you obtained acceptance of the residual
 information security risks? Does management approve it?
How do you retain documented information about the information security risk
treatment process?
6.2 Information security objectives and planning to achieve them
How do you establish information security objectives at relevant functions and levels? Where
are they documented? Who monitors the information security objectives?
Are these information security objectives consistent with the Information Security

policy?
Are your information security objectives measurable? Show me. Are there any

objectives that are not measurable?
Have you taken into account applicable information security requirements in forming
 the IS objectives? Are risk assessment and treatment results considered in forming the
information security objectives?
 Are these information security objectives monitored?
 How do you communicate the information security objectives?
 At what frequency do you update the Information Security objectives?
Where are IS objectives documented? Who monitors them?

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

How do you retain documented information on the information security objectives?

Do you have plan for how to achieve information security objectives?
Have you considered the below things in planning the objectives?
 What will be done?
 What resources will be required?
 Who will be responsible to plan the objectives and implement the task?
 When it will be completed?
 How are the results of information security objectives evaluated?
6.3 Planning of changes
Have you determined the need for any changes in ISMS?
Have you ensured that any change in the ISMS is carried out in a planned manner?
7. Support
7.1 Resources
Have you determined and provided resources needed for:
 Establishment,
 Implementation,
 Maintenance, and
 Continual improvement?
Who is responsible for providing resources?
What is the formal process for budget approval?
How the capacity planning is done and resources are provided?
Do you get timely resources or there is delay in getting resources?
Due to unavailability of resources, does your work get affected?
7.2 Competence
Does the organization determine necessary competence for personnel performing
activities affecting ISMS? How do you determine competency? Do you prepare the
 competency matrix related to ISMS activity?
Have you ensured that the necessary competence has been achieved? If in any areas
the competency is not achieved, then what action is taken?
Do you provide training or take other actions to achieve the necessary competence?
 Have you defined what are appropriate education, training and experience for different
categories of persons? Where do you maintain such documented information?
Have you ensured that the necessary competence has been achieved? What actions
are taken to acquire the necessary competence? How do you evaluate the
 effectiveness of action taken, for example, written test, mock trail, BCP test, review of
effectiveness of training, etc.? What action was taken to upgrade the competence of
people?
Are you maintaining appropriate information and documented information of education,

training, skills and experience and qualifications as evidence of competence?

7.3 Awareness
Are your employees aware of information security policy and Information Security
 objective? How do you contribute your work to implement the information security
policy in your work area?

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

How do you contribute to information security management system? What benefits are
 achieved by implementing the ISMS? What is your improved information security
performance?
 What is the implication of not conforming to ISMS requirements?
7.4 Communication
How do you determine the needs of internal and external communication relevant to ISMS?
 What do you communicate regarding ISMS?
 When do you communicate regarding ISMS?
 Whom do you communicate regarding ISMS?
 How do you communicate regarding ISMS?
7.5 Documented Information
7.5.1 General
 Do you require documented information as per ISO/IES 27001:2022?
 How do you decide the need for effective documentation of information?
 Do you require paper copy or electronic copy of documented information?
 What is your documented information for competence of person?
Have you documented information like information security policy and ISMS

objectives?
Have you documented scope of the ISMS and procedures and controls to support

ISMS?
 Have you documented risk assessment report?
 Have you documented risk treatment plan?
Have you documented procedure of effectiveness planning, operation and controls of

ISMS?
Have you any documented information of compliance with ISO 27001:2022

requirements?
 Have you documented statement of applicability?
Have you controlled information security policies and all procedure as per ISO

27001:2022 ISMS system?
7.5.2 Creating and updating
Have you created and updated documented information for requirements like proper

identification and description of the title, date, and author and reference number?
Have you made format for documented information, including its identification,

language, software version, graphics, and media like paper copy and electronic copy?
 Who reviews, updates and re-approves documented information?
Have you approved information for adequacy and suitability prior to issue? Who is
 authorized to approve and review the documented information? How do you ensure
documented information is adequate and suitable for the purpose?
7.5.3 Control of documented information

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

Have you defined any control mechanism for documented information? How do you

ensure documented information is available for use when it is required?
How do you protect documented information? How do you adopt system like

confidentiality, improper use, or loss of integrity?
Are the documents required by the ISMS protected and controlled? How? Who is
authorized to control ISMS documents? How do you distribute the documented

information? Have you prepared authorized copy-holder list to understand who is
having access to information? How do you retrieve documented information and use it?
Is documented information established and maintained to provide evidence of
 conformity to requirements and the effective operation of the ISMS? How do you store
and preserve the documented information? How do you ensure it is legible?
Is it protected and controlled? How do you change the documented information? How
 do you establish version control for your documented information? Are you using any
automated tool for such version control and configuration management?
Is there documented information to define the controls needed for the identification,
storage, protection, retrieval, retention time and disposition of documented information?
 Have you defined the retention period for various types of documented information?
How do you dispose-off such documented information in hard copy as well as soft
copy?
Is documented information legible, readily identifiable and retrievable?
Is documented information kept of the performance of the process and of all occurrences of
significant security incidents related to the ISMS?
8.0 Operation
8.1 Operational planning and control
Have you planned,implemented and controlled processes to meet ISO 27001:2022ISMS
requirements?
Have you planned, implemented and controlled processes to implement the actions to
address risk and opportunities, including risk assessment and treatment?
Have you established criteria for the processes?
Have you implemented control of the processes in accordance with those criteria?
Have you kept Documented information regarding implementation of these processes?
Do you control planned changes and review the consequences of unintended changes?
Have you taken action to mitigate any adverse effects of such changes?

Have you controlled externally provided processes, products or services that are relevant to
the information security management system?

8.2 Information security risk assessment

Do you perform information security risk assessments at planned intervals or when significant
changes are proposed or occur?
What criteria you have taken into account for performing information security risk
assessments?
Have you taken into account risk acceptance criteria?

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

Have you retained documented information of the results of risk assessments? Show me.
8.3 Information security risk treatment
 Do you implement information security risk treatment plan?
Have you documented risk treatment plan and results? Have you retained those

documented information? Show me.
9.0 Performance evaluation
9.1 Monitoring, measurement and analysis and evaluation
What do you need to monitor and measure in your ISMS? Do you monitor and measure

Information Security processes and controls?
How do you monitor, measure, analyze data and evaluate it? How do you ensure to get

valid result?
 When is the monitoring and measurement performed?
 Who performs monitoring and measurement?
 When are the results from monitoring and measurement analyzed and evaluated
 Who performs analysis and evaluation of results?
Are the results from monitoring and measurement kept as documented information?
Have you evaluated the information security performance and the effectiveness of the
information security management system?
9.2 Internal Audits
9.2.1 General
Do you conduct internal audits of ISMS at planned intervals? What is the frequency to carry
out internal audit?
Does your ISMS internal audits provide information on whether the system conforms to
organization’s requirements for ISMS as well as ISO 27001:2022 requirements
Does your ISMS internal audits provide information on whether the ISMS is effectively
implemented and maintained
How do you ensure during internal audit that ISO 28000:2022 requirements as well as
international standard requirements are implemented by the organization?
How do you ensure during the audit that ISMS is implemented and maintained effectively?
9.2.2 Internal audit program
Have you planned, established, implemented and maintained audit program(s)?
Who is the authorized person reporting for audit and to whom it is reported?
How do you ensure processes and audit results mentioned in Internal audit program is
implemented effectively?
When establishing the internal audit program(s), do you consider the importance of
the processes concerned and the results of previous audits?
Do you define audit objectives, criteria and scope of each internal audit?
Do you select auditors and conduct audits in a manner to ensure objectivity and impartiality of
the audit process?
Are identified employees/ functional heads trained for internal auditor? Are you having a list of

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

trained Auditors?
Do you ensure that the results of the audits are reported to relevant managers?
Who is authorized person to review results of the audits?
Is documented information of internal audits available as evidence of the implementation of
audit program and the audit results?
Do you maintain records for the actual audit carried out against audit planned, as well as
summary of audit done? Where do you maintain such records?
How do you ensure that all departments covered for all the clauses applicable to that
department are audited in internal audit? How do you see effectiveness of action taken on
audit NCR? Where is it recorded?
Is the audit program, including audit schedule, based on the results of risk assessments of
your activities and the results of previous audits?
9.3 Management Review
9.3.1 General
Does Top management review the organization's information security management system,
at planned intervals, to ensure its continuing suitability, adequacy and effectiveness?
How does Top management review the organization’s ISMS? What is the frequency of review
to ensure its continuing suitability and adequacy? How do you ensure its effectiveness? When
do you conduct such ISMS reviews?
Do you consider the results of analysis and evaluation, and the outputs from management
review, to determine the needs or opportunities relating to the ISMS?
Do you review effectiveness of Information Security Management System? How do you
collect necessary information for the same? Are you getting information on corrective action
taken on the identified non-compliances and its effectiveness for discussion in the
management review meeting?
Do you take any feedback? Do you review result of feedback on Information Security?
Have you defined adequacy resources and discussed it in management review? How do you
measure opportunities for continual improvement?
Do you prepare minutes of Management review meeting with the actions decided in that
management review meeting? Do you review objectives and targets in the management
review? When do you review it?
9.3.2 Management review inputs
What topics are included in the management review?
Does management review include the status of actions from previous management reviews?
Does management review include changes in external and internal issues and the needs and
expectations of interested parties that are relevant to the information security management
system?
Does management review include feedback on the information security performance,
including trends in nonconformities and corrective actions, monitoring and measurement
results, audit results and fulfilment of information security objectives?
Does management review include feedback from interested parties?
Does management review include results of risk assessment and status of risk treatment

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

plan?
Does management review include opportunities for continual improvement?
Does management review include assessing opportunities for improvement and the need for
changes to the ISMS, including information security policy and security objectives?
Does management review include the information security performance of the organization,
objectives and targets met, status of corrective actions and follow-up actions from previous
management reviews?
Does management review include changing circumstances and recommendations for
improvement?
9.3.3 Management review results
Do the results of the management review include decisions related to continual improvement
opportunities?
Do the results of the management review include decisions related to any need for changes
to the information security management system?
Is the evidence of the results of management reviews available as documented information?
Do you have documented information of actions emerged from the ISMS management review
meetings?
10.0 Improvement
10.1 Continual improvement
Do you continually improve the suitability, adequacy and effectiveness of the ISMS
Do you proactively seek opportunities for improvement even if there is no imminent
information security threats or ongoing information security violations?
10.2 Nonconformity and corrective action
When a nonconformity occurs, do you react to it? How? Do you take action to control
and correct it?
 How do you control nonconformity and what documented information are maintained?
Has any action been taken to control and correct nonconformity?
How do you deal with the consequences of nonconformity?
Do you evaluate the need for action to eliminate the cause(s) of the nonconformity?
Do you review the nonconformity?
Who is the authorized person for reviewing nonconformity?
Which causes are applicable to the nonconformity? Do you perform root cause
 analysis for nonconformity?
How do you determine whether similar nonconformities exist or can potentially occur?
Have you determined the causes of nonconformities? Have you reviewed NCR and
correction of NCR, and evaluated nonconformities? What is potential occurrence of
nonconformities?
When a nonconformity occurs, do you implement the action needed? What action is
 taken for NCR? How do you implement action needed to meet documented
information?
 Do you review the effectiveness of corrective action? Who is authorized person for

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12

 ISO/IEC 27001:2022 Clause Wise Audit Checklist

reviewing it?
When a nonconformity occurs do you make changes to the information security
management system? Do you update documented information for risks?

Have you taken any corrective action and made any change in ISMS?
How do you monitor effectiveness of results of corrective action?
What is the base for taking corrective actions? Do you take corrective action for all the
nonconformities?
What is the mechanism to take corrective action?
Do you review all proposed corrective actions prior to implementation?
How do you review? Do you review through the assessment process of security-related risk?
Do you review the effectiveness of corrective action?
Who reviews the effectiveness of corrective action taken by concerned department??
Do you maintain documented information for nature of the nonconformity and subsequent
actions taken as well as result of corrective action? Who maintains it?
Are corrective actions taken appropriate to the magnitude of the problems and commensurate
with the information security related risks likely to be encountered.

Copy # 90 copyright @ Global Manager Group; E-mail: sales@[Link] Page 1 of 12