ISO 27001:2022 Internal Audit Checklist

By Aymen Bentijani
ISO 27001:2022 Internal Audit Checklist

Document Control Information

• Document Title: ISO 27001:2022 Internal Audit Checklist

• Document Version: 1.0
• Last Updated: [DATE]
• Document Owner: [ROLE/NAME]

Purpose

This checklist is designed to assist internal auditors in evaluating compliance with ISO
27001:2022 requirements. It covers all mandatory clauses (4-10) and provides

s
ce
guidance for assessing the implementation and effectiveness of the Information

vi
Security Management System (ISMS).

r
Se
Instructions for Use

ity
1. Complete all sections of the checklist
c ur
se

2. For each requirement, mark compliance status as:

er

◦ Compliant (C): Requirement fully met with evidence

yb

◦ Partially Compliant (P): Requirement partially met, improvements needed

-C

◦ Non-Compliant (N): Requirement not met

◦ Not Applicable (NA): Requirement not applicable to the organization
ani

3. Provide evidence/observations for each requirement

tij

4. Document nonconformities and opportunities for improvement

n
Be

5. Share findings with management and process owners

en

Section 1: Context of the Organization (Clause 4)

m
Ay

4.1 Understanding the organization and its context

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
determined
external and
internal

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

issues
relevant to its
purpose and
that affect its
ability to
achieve the
intended
outcome(s) of
its ISMS?

Is there a
process to

s
monitor and

ce
review

vi
information

r
Se
about these

ity
external and
internal c ur
issues?
se
er
yb

4.2 Understanding the needs and expectations of interested parties

-C

Status (C/P/ Evidence/ Nonconformity/

Requirement
ni

N/NA) Observations Improvement Opportunity

a
n tij

Has the
Be

organization
en

determined
m

interested
Ay

parties
relevant to
the ISMS?

Has the
organization
determined
the
requirements
of these
interested

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

parties
relevant to
information
security?

Has the
organization
determined
which of
these
requirements
will be

s
addressed

ce
through the

vi
ISMS?

r
Se
Is there a

ity
process to
monitor and
c ur
se

review
er

information
yb

about these
-C

interested
ni

parties and
a

their relevant
n tij

requirements?
Be
en

4.3 Determining the scope of the ISMS

m
Ay

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
determined
the
boundaries
and
applicability of
the ISMS to

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

establish its
scope?

Has the scope

considered
external and
internal issues
(4.1)?

Has the scope

considered
requirements
of interested

s
ce
parties (4.2)?

vi
r
Se
Has the scope
considered

ity
interfaces and
dependencies
c ur
se

between
er

activities
yb

performed by
-C

the
organization
ani

and those
tij

performed by
n
Be

other
organizations?
en
m

Is the scope
Ay

available as
documented
information?

Aymen Bentijani - Cybersecurity Services

4.4 Information security management system

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
established,
implemented,
maintained,
and
continually
improved an
ISMS in
accordance
with ISO

s
ce
27001:2022?

vi
r
Se
Has the
organization

ity
determined
the processes
c ur
se

needed for
er

the ISMS and

yb

their
-C

application
ni

throughout
a

the
n tij

organization?
Be

Has the
en

organization
m

determined
Ay

the
interactions
of these
processes?

Aymen Bentijani - Cybersecurity Services

Section 2: Leadership (Clause 5)

5.1 Leadership and commitment

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has top
management
demonstrated
leadership and
commitment
to the ISMS?

Has top
management

s
ce
ensured the

vi
information

r
Se
security policy
and objectives

ity
are
established
c ur
se

and
er

compatible
yb

with the
-C

strategic
ni

direction?
a
tij

Has top
n
Be

management
ensured
en

integration of
m
Ay

ISMS
requirements
into the
organization’s
processes?

Has top
management
ensured
resources
needed for the

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

ISMS are
available?

Has top
management
communicated
the
importance of
effective
information
security
management?

s
ce
Has top

vi
management

r
Se
ensured the
ISMS achieves

ity
its intended
outcome(s)?
c ur
se
er

Has top
yb

management
-C

directed and
supported
ani

persons
tij

contributing
n
Be

to the ISMS?
en

Has top
m

management
Ay

promoted
continual
improvement?

Has top
management
supported
other relevant
management
roles to

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

demonstrate
their
leadership?

5.2 Policy

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has top
management
established an

s
information

ce
security policy

vi
appropriate to

r
Se
the

ity
organization?

Does the
c ur
se

policy include
er

information
yb

security
-C

objectives or
ni

provide a
a

framework for
n tij

setting
Be

objectives?
en

Does the
m
Ay

policy include
a commitment
to satisfy
applicable
requirements?

Does the
policy include
a commitment
to continual

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

improvement
of the ISMS?

Is the policy
available as
documented
information?

Is the policy
communicated
within the
organization?

s
ce
Is the policy

vi
available to

r
Se
interested
parties, as

ity
appropriate? c ur
se

5.3 Organizational roles, responsibilities and authorities

er
yb

Status (C/P/ Evidence/ Nonconformity/

Requirement
-C

N/NA) Observations Improvement Opportunity

ni

Has top
a
tij

management
n
Be

ensured
responsibilities
en

and authorities
m

for relevant
Ay

roles are
assigned and
communicated?

Has top
management
assigned
responsibility
and authority
for ensuring

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

the ISMS
conforms to
ISO
27001:2022?

Has top
management
assigned
responsibility
and authority
for reporting
on the

s
performance of

ce
the ISMS?

vi
r
Se
Section 3: Planning (Clause 6)

ity
6.1 Actions to address risks and opportunities
c ur
se
er

6.1.1 General
yb
-C

Status (C/P/ Evidence/ Nonconformity/

Requirement
ni

N/NA) Observations Improvement Opportunity

a
tij

Has the
n
Be

organization
en

planned
actions to
m
Ay

address risks
and
opportunities
considering
issues (4.1)
and
requirements
(4.2)?

Has the
organization

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

planned how
to integrate
and
implement
these actions
into ISMS
processes?

Has the
organization
planned how
to evaluate

s
the

ce
effectiveness

vi
of these

r
Se
actions?

ity
6.1.2 Information security risk assessment
c ur
se
er

Status (C/P/ Evidence/ Nonconformity/

Requirement
yb

N/NA) Observations Improvement Opportunity

-C

Has the
ni

organization
a
tij

defined and
n
Be

applied an
information
en

security risk
m

assessment
Ay

process?

Does the
process
identify
information
security
risks?

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

Does the
process
analyze
information
security
risks?

Does the
process
evaluate
information
security

s
risks?

ce
vi
Is the process

r
Se
maintained

ity
as
documented c ur
information?
se
er
yb

6.1.3 Information security risk treatment

-C
ni

Status (C/P/ Evidence/ Nonconformity/

Requirement
a

N/NA) Observations Improvement Opportunity

n tij
Be

Has the
organization
en

defined and
m

applied an
Ay

information
security risk
treatment
process?

Does the
process
select
appropriate
risk

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

treatment
options?

Does the
process
determine all
controls
needed to
implement
the risk
treatment
options?

s
ce
Has the

vi
organization

r
Se
compared
controls

ity
determined
with those in
c ur
se

Annex A and
er

verified no
yb

necessary
-C

controls were
ni

omitted?
a
tij

Has the
n
Be

organization
produced a
en

Statement of
m
Ay

Applicability
containing
necessary
controls and
justification
for inclusions
and
exclusions?

Has the
organization

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

formulated
an
information
security risk
treatment
plan?

Has the
organization
obtained risk
owners’
approval of

s
the risk

ce
treatment

vi
plan and

r
Se
acceptance of

ity
residual
risks? c ur
se

Is the risk
er

treatment
yb

process
-C

maintained
ni

as
a

documented
n tij

information?
Be
en

6.2 Information security objectives and planning to achieve them

m
Ay

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
established
information
security
objectives at
relevant

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

functions and
levels?

Are the
objectives
consistent with
the information
security policy?

Are the
objectives
measurable (if
practicable)?

s
ce
vi
Do the

r
Se
objectives take
into account

ity
applicable
requirements
c ur
se

and risk
er

assessment
yb

and treatment
-C

results?
ni

Are the
a
tij

objectives
n
Be

communicated?
en

Are the
m

objectives
Ay

updated as
appropriate?

Are the
objectives
maintained as
documented
information?

Has the
organization

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

determined
what will be
done to achieve
the objectives?

Has the
organization
determined
what resources
will be
required?

Has the

s
ce
organization

vi
determined

r
Se
who will be
responsible?

ity
Has the
c ur
se

organization
er

determined
yb

when
-C

objectives will
be completed?
ani
tij

Has the
n
Be

organization
determined
en

how results will

m

be evaluated?
Ay

6.3 Planning of changes

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

When the
organization
determines
the need for

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

changes to
the ISMS, are
the changes
carried out in
a planned
manner?

Section 4: Support (Clause 7)

7.1 Resources

Status (C/P/ Evidence/ Nonconformity/

s
Requirement

ce
N/NA) Observations Improvement Opportunity

vi
r
Has the

Se
organization

ity
determined and
provided
c ur
se
resources
er

needed for the

yb

establishment,
-C

implementation,
maintenance,
ni

and continual
a
tij

improvement of
n
Be

the ISMS?
en

7.2 Competence
m
Ay

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
determined
necessary
competence
of persons
doing work

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

under its
control that
affects its
information
security
performance?

Has the
organization
ensured
these
persons are

s
competent

ce
on the basis

vi
of education,

r
Se
training, or

ity
experience?

Where
c ur
se

applicable,
er

has the
yb

organization
-C

taken actions
ni

to acquire the
a

necessary
n tij

competence?
Be

Has the
en

organization
m
Ay

evaluated the
effectiveness
of actions
taken?

Does the
organization
retain
appropriate
documented
information

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

as evidence
of
competence?

7.3 Awareness

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Are persons
doing work
under the

s
organization’s

ce
control aware

vi
of the

r
Se
information

ity
security
policy? c ur
se

Are they
er

aware of their
yb

contribution
-C

to the
ni

effectiveness
a

of the ISMS
n tij

and benefits
Be

of improved
en

information
m

security
Ay

performance?

Are they
aware of the
implications
of not
conforming
with ISMS
requirements?

Aymen Bentijani - Cybersecurity Services

7.4 Communication

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
determined the
need for
internal and
external
communications
relevant to the
ISMS?

Has the

s
ce
organization

vi
determined

r
Se
what to
communicate?

ity
Has the
c ur
se
organization
er

determined
yb

when to
-C

communicate?
ni

Has the
a
tij

organization
n
Be

determined with
whom to
en

communicate?
m
Ay

Has the
organization
determined who
shall
communicate?

Has the
organization
determined the
processes by
which

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

communication
shall be
effected?

7.5 Documented information

7.5.1 General

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Does the

s
ce
ISMS include

vi
documented

r
Se
information
required by

ity
ISO
27001:2022?
c ur
se
er

Does the
yb

ISMS include
-C

documented
information
ni

determined
a
tij

by the
n
Be

organization
as necessary
en

for the
m

effectiveness
Ay

of the ISMS?

7.5.2 Creating and updating

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

When
creating and
updating

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

documented
information,
does the
organization
ensure
appropriate
identification
and
description?

When
creating and

s
updating

ce
documented

vi
information,

r
Se
does the

ity
organization
ensure c ur
appropriate
se

format and
er

media?
yb
-C

When
ni

creating and
a

updating
n tij

documented
Be

information,
en

does the
m

organization
Ay

ensure
appropriate
review and
approval for
suitability
and
adequacy?

Aymen Bentijani - Cybersecurity Services

7.5.3 Control of documented information

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Is
documented
information
required by
the ISMS
controlled to
ensure it is
available and
suitable for
use, where

s
ce
and when it is

vi
needed?

r
Se
Is

ity
documented
information
c ur
se
required by
the ISMS
er
yb

controlled to
-C

ensure it is
adequately
ni

protected?
a
n tij

For control of
Be

documented
en

information,
m

does the
Ay

organization
address
distribution,
access,
retrieval and
use?

For control of
documented
information,
does the

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

organization
address
storage and
preservation,
including
preservation
of legibility?

For control of
documented
information,
does the

s
organization

ce
address

vi
control of

r
Se
changes?

ity
For control of
documented
c ur
se

information,
er

does the
yb

organization
-C

address
ni

retention and
a

disposition?
n tij
Be

Is
documented
en

information
m
Ay

of external
origin
determined
by the
organization
to be
necessary for
the planning
and
operation of
the ISMS

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

identified and
controlled?

Is
documented
information
maintained
as evidence
of conformity
protected
from
unintended

s
alterations?

ce
vi
r
Se
Section 5: Operation (Clause 8)

ity
8.1 Operational planning and control c ur
se
Status (C/P/ Evidence/ Nonconformity/
Requirement
er

N/NA) Observations Improvement Opportunity

yb
-C

Has the
organization
ni

planned,
a
tij

implemented
n

and
Be

controlled
en

processes
m

needed to
Ay

meet
information
security
requirements?

Has the
organization
established
criteria for the
processes?

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
implemented
control of the
processes in
accordance
with the
criteria?

Does the
organization
keep

s
documented

ce
information

vi
r
to the extent

Se
necessary to

ity
have
confidence
c ur
se
that the
er

processes
yb

have been
-C

carried out as
planned?
ani
tij

Does the
n

organization
Be

control
en

planned
m

changes and
Ay

review the
consequences
of unintended
changes,
taking action
to mitigate
any adverse
effects, as
necessary?

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

Does the
organization
ensure that
outsourced
processes are
determined
and
controlled?

8.2 Information security risk assessment

Status (C/P/ Evidence/ Nonconformity/

s
Requirement

ce
N/NA) Observations Improvement Opportunity

vi
r
Does the

Se
organization

ity
perform
information
c ur
se
security risk
er

assessments
yb

at planned
-C

intervals or
when
ni

significant
a
tij

changes are
n
Be

proposed or
occur?
en
m

Does the
Ay

organization
retain
documented
information
of the results
of the
information
security risk
assessments?

Aymen Bentijani - Cybersecurity Services

8.3 Information security risk treatment

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Does the
organization
implement
the
information
security risk
treatment
plan?

Does the
organization

s
ce
retain

vi
documented

r
Se
information
of the results

ity
of the
information
c ur
se

security risk
er

treatment?
yb
-C

Section 6: Performance Evaluation (Clause 9)

ani
tij

9.1 Monitoring, measurement, analysis and evaluation

n
Be

Status (C/P/ Evidence/ Nonconformity/

Requirement
en

N/NA) Observations Improvement Opportunity

m
Ay

Has the
organization
evaluated the
information
security
performance
and the
effectiveness
of the ISMS?

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
determined
what needs to
be monitored
and
measured,
including
information
security
processes and
controls?

s
ce
Has the

vi
r
organization

Se
determined

ity
the methods
for
c ur
se
monitoring,
er

measurement,
yb

analysis and
-C

evaluation to
ensure valid
ni

results?
a
n tij

Has the
Be

organization
en

determined
m

when the
Ay

monitoring
and
measuring
shall be
performed?

Has the
organization
determined
who shall

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

monitor and
measure?

Has the
organization
determined
when the
results from
monitoring
and
measurement
shall be

s
analyzed and

ce
evaluated?

vi
r
Se
Has the
organization

ity
determined
who shall
c ur
se

analyze and
er

evaluate these
yb

results?
-C

Does the
ani

organization
tij

retain
n
Be

appropriate
documented
en

information
m
Ay

as evidence of
the
monitoring,
measurement,
analysis and
evaluation
results?

Aymen Bentijani - Cybersecurity Services

9.2 Internal audit

9.2.1 General

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Does the
organization
conduct
internal
audits at
planned
intervals to
provide

s
ce
information
on whether

vi
r
the ISMS

Se
conforms to

ity
the
organization’s
c ur
se
own
er

requirements
yb

and the
-C

requirements
of ISO
ani

27001:2022?
n tij
Be

Does the
organization
en

conduct
m

internal
Ay

audits at
planned
intervals to
provide
information
on whether
the ISMS is
effectively
implemented

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

and
maintained?

9.2.2 Internal audit programme

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Has the
organization
planned,
established,

s
ce
implemented

vi
and maintained

r
Se
an audit
programme,

ity
including
frequency,
c ur
se

methods,
er

responsibilities,
yb

planning
-C

requirements
and reporting?
ani
tij

Does the audit

n
Be

programme
take into
en

consideration
m

the importance
Ay

of the
processes
concerned and
the results of
previous
audits?

Has the
organization
defined the

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

audit criteria
and scope for
each audit?

Does the
organization
select auditors
and conduct
audits to
ensure
objectivity and
impartiality of

s
the audit

ce
process?

vi
r
Se
Does the
organization

ity
ensure that the
results of the
c ur
se

audits are
er

reported to
yb

relevant
-C

management?
ani

Does the
tij

organization
n
Be

retain
documented
en

information as
m
Ay

evidence of the
implementation
of the audit
programme
and the audit
results?

Aymen Bentijani - Cybersecurity Services

9.3 Management review

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Does top
management
review the
organization’s
ISMS at planned
intervals to
ensure its
continuing
suitability,
adequacy and
effectiveness?

s
ce
vi
Does the

r
Se
management
review include

ity
consideration of
the status of
c ur
se

actions from
er

previous
yb

management
-C

reviews?
ani

Does the
tij

management
n
Be

review include
consideration of
en

changes in
m

external and
Ay

internal issues
relevant to the
ISMS?

Does the
management
review include
consideration of
feedback on the
information

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

security
performance,
including trends
in
nonconformities
and corrective
actions,
monitoring and
measurement
results, audit
results, and
fulfillment of

s
information

ce
security

vi
r
objectives?

Se
ity
Does the
management c ur
review include
se

consideration of
er

feedback from
yb

interested
-C

parties?
ani

Does the
n tij

management
Be

review include
en

consideration of
m

results of risk
Ay

assessment and
status of risk
treatment plan?

Does the
management
review include
consideration of
opportunities

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

for continual
improvement?

Do the outputs
of the
management
review include
decisions
related to
continual
improvement
opportunities

s
and any needs

ce
for changes to

vi
the ISMS?

r
Se
Does the

ity
organization
retain
c ur
se

documented
er

information as
yb

evidence of the
-C

results of
ni

management
a

reviews?
n tij
Be

Section 7: Improvement (Clause 10)

en
m

10.1 Nonconformity and corrective action

Ay

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

When a
nonconformity
occurs, does the
organization
react to the
nonconformity

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

and take action

to control and
correct it?

When a
nonconformity
occurs, does the
organization
deal with the
consequences?

Does the
organization

s
ce
evaluate the

vi
need for action

r
Se
to eliminate the
causes of

ity
nonconformity
by reviewing the
c ur
se

nonconformity,
er

determining the
yb

causes, and
-C

determining if
ni

similar
a

nonconformities
n tij

exist or could
Be

potentially
en

occur?
m
Ay

Does the
organization
implement any
action needed?

Does the
organization
review the
effectiveness of
any corrective
action taken?

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

Does the
organization
make changes
to the ISMS, if
necessary?

Are corrective
actions
appropriate to
the effects of
the
nonconformities

s
encountered?

ce
vi
Does the

r
Se
organization

ity
retain
documented c ur
information as
se

evidence of the
er
yb

nature of the
-C

nonconformities
and any
ni

subsequent
a
tij

actions taken,
n

and the results

Be

of any
en

corrective
m

action?
Ay

10.2 Continual improvement

Status (C/P/ Evidence/ Nonconformity/

Requirement
N/NA) Observations Improvement Opportunity

Does the
organization
continually
improve the

Aymen Bentijani - Cybersecurity Services

 Status (C/P/ Evidence/ Nonconformity/
Requirement
N/NA) Observations Improvement Opportunity

suitability,
adequacy
and
effectiveness
of the ISMS?

Annex A Controls Assessment

This section should be used to assess the implementation and effectiveness of

controls selected in the Statement of Applicability. For each applicable control,
evaluate:

s
1. Is the control implemented as described in the SoA?

ce
2. Is the control operating effectively?

vi
r
3. Is there evidence to demonstrate control implementation and effectiveness?

Se
ity
Note: Detailed assessment of Annex A controls should be conducted using a separate
ur
checklist that covers all 93 controls across the four categories (Organizational,
c
People, Physical, and Technological).
se
er

Audit Summary
yb
-C

Strengths Identified
ani

1.
n tij

2.
Be

3.
en
m

Nonconformities Identified
Ay

1.
2.
3.

Opportunities for Improvement

1.
2.
3.

Aymen Bentijani - Cybersecurity Services

Conclusions

[Provide overall assessment of ISMS compliance and effectiveness]

Recommendations

[Provide recommendations for addressing nonconformities and improving the ISMS]

Audit Information

• Audit Date(s): [DATE]

• Audit Scope: [SCOPE]
• Lead Auditor: [NAME]
• Audit Team Members: [NAMES]
• Auditee Representatives: [NAMES]

s
ce
Approval

vi
r
Se
This Internal Audit Report has been reviewed and approved by:

ity
Name: ________________________ Position: ______________________ Date:
_________________________ Signature: _____________________
c ur
se
er
yb
-C
ani
n tij
Be
en
m
Ay

Aymen Bentijani - Cybersecurity Services