Scribd Logo
Upload

Welcome to Scribd!

  • ISO27k1 Checklist Session 2022

    Uploaded by

    Jesus Hernandez
    7 views7 pages
    This document outlines the methodology used to audit an organization's information security management system (ISMS), including sources of evidence and parties interviewed or sampled. It involves assessing 23 clauses related to leadership, policy, actions to address risks and opportunities, objectives, resources, competence, awareness, communication, document control, operational planning and control, risk assessment, monitoring and measurement, internal audit, and management review. The audit evaluates conformance with the ISMS and compliance obligations, examining documentation, interviews, observations, and sampling across multiple levels of management and departments.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines the methodology used to audit an organization's information security management system (ISMS), including sources of evidence and parties interviewed or sampled. It involves assessing 23 clauses related to leadership, policy, actions to address risks and opportunities, objectives, resources, competence, awareness, communication, document control, operational planning and control, risk assessment, monitoring and measurement, internal audit, and management review. The audit evaluates conformance with the ISMS and compliance obligations, examining documentation, interviews, observations, and sampling across multiple levels of management and departments.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views7 pages

    ISO27k1 Checklist Session 2022

    Uploaded by

    Jesus Hernandez
    This document outlines the methodology used to audit an organization's information security management system (ISMS), including sources of evidence and parties interviewed or sampled. It involves assessing 23 clauses related to leadership, policy, actions to address risks and opportunities, objectives, resources, competence, awareness, communication, document control, operational planning and control, risk assessment, monitoring and measurement, internal audit, and management review. The audit evaluates conformance with the ISMS and compliance obligations, examining documentation, interviews, observations, and sampling across multiple levels of management and departments.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Methodology

    DP1/DP2/DP3
    Sources:
    Interview,
    Documented
    Information,
    Observed/Seen
    No. Clause Annex A Clauses Auditee

    1 4.1 Top Management Interview

    2 4.2 Top Management Interview


    Top Management
    3 4.2 /Management Rep. Sampling
    Top Management
    4 4.3 /Management Rep. Sampling
    Top Management /ISMS
    5 4.4 Team Sampling

    6 5.1 Top Management Interview

    5.2 Top Management Sampling


    7 Top Management Interview

    Top Mangement / Heads /


    8 5.3 Supervisors / / MR Sampling
    Top management Interview
    5.4 /Management Rep. Sampling
    Top Management /
    Management Rep. Interview
    Top Management /
    Management Rep. Interview
    6.1.1 Top Management /
    Management Rep. Interview
    Top
    Management/Management
    9 Rep. Interview

    6.1.2 Management Rep./ All


    Depts. Sampling
    Top
    6.1.3 Management/Management
    Rep. Sampling
    All department or
    representative or
    Management Rep. Interview
    All department or
    representative or
    Management Rep. Sampling
    All department or
    representative or
    10 6.2 Management Rep. Sampling
    All Management or
    representative Sampling
    Interview /
    7.1 Top Management Observation
    Top
    Management/Management
    12 Rep. Sampling

    Top Management/ Human


    13 7.2 Resource Officer Sampling

    Any random employee Interview


    7.3
    14 Any random employee Interview
    All Management or
    15 7.4 representative Interview

    16
    7.5 Document Controller Sampling

    Document Controller Sampling


    Department
    Head/representative
    8.1 Any random employee Observation
    Observation
    Management Rep. / Sampling
    Observation
    8.2 Management Rep. Sampling
    Observation
    17 8.3 Management Rep Sampling

    Process Owners/MR Sampling

    18 9.1.1. Process Owners/MR Sampling

    19 Lead Auditor Sampling


    9.2.
    Lead Auditor/Internal
    20 Auditor Sampling
    Top Management/ISMS
    21 9.3 Team Interview
    Top Managemen/ISMS
    9.3 Team Sampling
    Lead Auditor/Management
    22 Rep./ Process Owners Sampling
    10

    Lead Auditor/Management
    Rep./ Process Owners Sampling
    Top
    Management/Management
    23 Rep. Interview Sampling
    .
    *Note: Triangulation of evidence requires 3 data ponts (sources) pinpointing
    to the same audit finding

    Evaluation Result
    Question/Request (C/NC/OFI/Inconclusive)
    Pls. describe the external/internal issues
    relevant
    Pls. statetothe
    theinterested
    ISMS. parties (internal
    and external), including their needs and
    expectations
    Pls. show which of these needs and
    expectations becomes its compliance
    obligation
    Pls. show the documented scope of your
    ISMS(scope statement) Statement of
    Applicability (controlled doc)
    Audit the company's ISMS for
    conformance
    Pls. describe how you demonstrate the
    leadership & commitment with respect
    to the ISMS(a paragraph to cover a) to
    h) (canshow
    Pls. be read
    theas ainformation
    script) security
    Policy of Company.(signed information
    security policy)
    Pls. describe your information security
    Policy.

    Pls. show the org. structure for the


    ISMS
    Please describe consultation/
    participation
    Pls. describe risk & opportunities, and
    actions towards the risk &
    opportunities.
    Pls. describe the process of determining
    the risk & opportunities.
    Pls. further describe the actions towards
    risk & opportunities.

    Pls. elaborate more on this risk &


    opportunities.
    Please show me the Risk assessment
    (information asses), critera, process of
    RA, likeliood conseuence, priority for
    treatment.
    Risk assessment/treatment control
    compare with Annex A, Statement of
    applicability, inclusion or exclusion of
    Annex A reference controls
    What are the objectives of ISMS for
    Company?

    Pls. show the ISMS documented


    objectives
    Pls. show the ISMS objectives taking
    into account the risk and opportunities,
    Annex A reference objectives and
    Compliance Obligations
    Pls. show the resources required by
    your ISMS.
    Pls. describe commitment to provide
    resources to support ISMS.
    Pls. show actual resources indicated that
    were provided in the ISMS. Site
    walkaround

    Pls. show proof of competence of those


    invoved
    Pls. stateinyour
    ISMSawareness
    (training cert.)
    on the ISMS
    Policy, Objectives, contribution,
    awareness
    Must be aware of clause 7.3 a and d of
    the
    Pls.ISMS standard
    describe howat you
    minimum
    communicate
    with interested parties.(Internal and
    External)
    Pls. show me the approver of the docs.
    When was the latest revisions and
    approval?(can
    Pls. show meshow the repository
    masterlists,of Active
    docs)
    Internal and External document and
    Obsolete
    Reception, entrance gates, offices,
    restricted areas, protection
    infrastructure, CCTV, loading/
    unloading areas, emergency facilites
    Pls. show operational controls in each
    area
    Pls. show documented procedure for
    Risk Assessment (updated/revised latest
    )
    Walk thru around the process areas. A.5
    - A.18 show
    Pls. in actualevidence
    implementation
    of monitor,
    measurement, analysis and evaluation
    of achieved
    Pls. show objectives.
    the effectiveness of IS
    controls. Permits, licenses, certificates
    gov't reports.
    Pls. show audit
    programme/plan/reports/findings/Corre
    Pls.
    ctiveshow audit
    Actions
    programme/plan/reports/findings/Corre
    ctive Actions
    Pls. state what are the considerations
    and topics involve in the management
    review
    Pls. show the results of the management
    review/ Management Review Minutes
    of the Meeting
    Pls. show procedure developed to deal
    with actual and potential
    nonconformity(s) and for taking
    corrective action

    Pls. show the NC reports and evidence of closures.


    Pls. show and state the ISMS suitability,
    adequacy, continual improvement and
    effectiveness in the organization

    You might also like