Title Page

  • Date

  • Client

  • Trading Name(s)

  • Address

  • Audit Standard: ISO 27001:2022 + Amd-01:2024

  • Ref Number

  • Report dated:

Scope

  • Scheme Section(s)

  • Target of Evaluation

  • Jurisdiction

  • Limitations on Scope

Audit General Data

  • Site conducted

  • Conducted on

  • ACCS Auditor / Certification Officer

  • Confirm if this a remote audit

  • Has a Remote Audit Risk Analysis been completed

  • Add a copy of the risk assessment here

  • Specify Why is this answer not applicable

  • Does the client operate ONLY from virtual offices

  • Confirm that the client has established an infrastructure to offer fully remote audits and manage their operational processes and that this has been considered within their risk assessments

  • Remote Audit method - Delete this section if the Audit is 'on-site'

  • * A remote CAAT / ICT assessment was performed to the extent >30 %
    * Form of audit: video conferencing (MS Teams), email communication, Electronic transfer of documents.
    * The CAAT/ICT method of remote assessment in the given range was used effectively using the tools listed below .
    - A remote CAAT / ICT assessment was performed to the extent 100 % - EE (IAF ID 3) Form of audit: video conferencing (MS Teams, Google Zoom), email communication Remote CAAT / ICT assessment was performed for 100% - EE extension (IAF ID 3) Audit form: Videoconferences - (eg MS Teams, Google Zoom) , email communication were used Interview (MS outlook, Gmail or MS Teams note); Documentation review/analysis via screen sharing and/or email

  • Audit type: Stage 1

  • Audit type: stage 2

  • Audit type: surveillance,

  • Audit type: recertification

  • Audit Objectives
    Audit objectives, where methodologically can:
    1) confirm the compliance of the client's management system with audit criteria,

    2) determine the ability of the management system to ensure that the organization meets the applicable statutory, regulatory and contractual requirements.

    3) achieve the specified objectives, as the management system can identify areas for potential improvement, including management review and internal audits - Were fulfilled.

Customer General Data

  • The main scope of the company for which certification management system is considered

  • Corresponding NACE Code or Category : 99.98, 99.99 / EAC 33

  • Number of employees in the certified area :

  • Special processes: If None please state 'None'

  • Number of Shifts: 1

Certification Data Process

  • Certification standard applied: ISO/IEC 27001:2022 + Amd: 1: 2024

  • Detail of any clauses claimed as 'Not Applicable' including any claimed justification

  • Audit date ( from / To):

  • Total Audit Days :

  • Certificated since (dd/mm/yyyy)

  • Place(s) of Audit headquarters and branches (see section Visited locations)

  • Deviation from the audit plan required

  • Please detail what deviations were required

  • Significant issues impacting on audit programme or client's MS :

  • What were the significant issues and what was the impact

  • Consultant involved in management system support:

  • Please state consultants role and support provided

  • Audit (Report) language: English - if other please state or leave blank

Disclaimer Auditing is based on a sampling process of the available information and consequently there will always be an element of uncertainty present in auditing evidence, which may be reflected in the audit findings. With this audit considering evidence based on 'Random Samples' Non-Conformances may not be identified at this audit but may become evident at future audits Those relying or acting upon the audit results and conclusions should take into account this uncertainty.

    Findings raised this certification cycle
  • Findings raised THIS audit

  • Number of MAJOR non-conformances

  • Number of MINOR non-conformances

  • Number of Observations

  • Surveillance 1 - findings raised

  • Number of MAJOR non-conformances

  • Number of MINOR non-conformances

  • Number of Observations

  • Surveillance 2 - findings raised

  • Number of MAJOR non-conformances

  • Number of MINOR non-conformances

  • Number of Observations

  • Recertification- findings raised

  • Number of MAJOR non-conformances

  • Number of MINOR non-conformances

  • Number of Observations

Opening Meeting, Confirmation of Audit Scope; Executive summary

  • Audit Criteria
    The audit criteria are the requirements of the standard and the established processes as well as the documentation of the organization's management system. The purpose of the audit is to confirm the compliance of the client's management system with the audit criteria, to determine the ability of the management system to ensure that the organization meets the relevant legal and other requirements (but the audit is not an audit of compliance with the legislation). Furthermore, the objective is to determine whether the effectiveness of the management system makes it possible to achieve the objectives set and identify areas for potential improvement.

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • Representing the client the opening meeting was attended by

  • Description of the clients company, its activities / main product or services

  • Corporation details, infrastructure, working places and branch offices, organizational chart description

  • Manufacturing equipment or services support activities
    The Top management of the company has provided the necessary resources for the implementation of activities: equipment, software and IS, and personnel. Channels of communication communication channels and support services have been defined.

  • Confirm the audit agenda is acceptable to everyone, see notes for changes

  • Confirm the audit agenda is acceptable to everyone, see notes for changes

  • Confirm that audit sampling of records is based on "random Samples" not 100% inspection; Confirm that the audit is based on a "risk-based" approach of company processes.

  • Re-confirm confidentiality and impartiality

  • Confirm that decisions be based on objective evidence of conformity (or nonconformity) obtained by ACCS, and that decisions are not influenced by other interests or by other parties. Confirm understanding of findings - Major/Minor NCs; Observations; confirm routes and timescales for closing any NCs. Confirm the right of appealing any decisions the client does not agree with

  • Confirm Questions can be asked but advice or consultancy cannot be given

  • End opening meeting; provide "Thank You's" for using ACCS and coming to the opening meeting; assistance to be given

  • Are there any significant changes that could impact the Management System or any unresolved NC's / issues since the last ACCS audit

Executive Summary

  • * * NOTE : Auditor to delete this text and replace with a description of the clients activities, facilities location and summary of the audit

Audit Recommendation

  • It is the Auditors recommendation that the outcome of the audit is

  • Certification is recommended with no further action

  • Certification is recommended once all findings have been addressed / closed

  • Certification is NOT reccomended

Clause 4 Context of the organisation

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • 4.1 understanding the organisation and its context - has the client determined external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes[s] of its ISMS

  • 4.1.1 Has the client considered determined whether climate change is/are a relevant issue.

  • Is clause 4.1 considered compliant

  • 4.2 understanding the needs and expectations of interested parties - Has the client determined: a) interested parties that are relevant to the information security management system;

  • understanding the needs and expectations of interested parties - Has the client determined: b) the relevant requirements of these interested parties;

  • understanding the needs and expectations of interested parties - Has the client determined: c) which of these requirements will be addressed through the information security management<br>system.

  • is clause 4.2 considered compliant

4.3 Determining the scope of the information security management system

  • Has the client determined the boundaries and applicability of the information security

  • When determining this scope, has the client considered: a) the external and internal issues referred to in 4.1;<br>b) the requirements referred to in 4.2;<br>c) interfaces and dependencies between activities performed by the organization, and those that are<br>performed by other organizations.

  • is clause 4.3 considered compliant

  • 4.4 Information security management system - can the client demonstrate that they have established, implemented, maintained and continually improved an information security management system (ISMS), including the processes needed and their interactions, in accordance with the requirements of this document.

  • Is clause 4.4 considered compliant

5 Leadership

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • 5.1 Leadership and commitment

  • Can "Top management" demonstrate leadership and commitment with respect to the information security management system by:

  • A) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;

  • B) ensuring the integration of the information security management system requirements into the companies processes;

  • C) ensuring that the resources needed for the information security management system are available;

  • D) communicating the importance of effective information security management and of conforming to the information security management system requirements;

  • E) ensuring that the information security management system achieves its intended outcome(s);

  • F) directing and supporting persons to contribute to the effectiveness of the information security management system;

  • G) promoting continual improvement;

  • H) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

  • Is clause 5.1 considered compliant

5.2 Policy

  • Can Top management demonstrate that they established an information security policy that:

  • A) is appropriate to the purpose of the organization;

  • B) includes information security objectives (see 6.2) or provides the framework for setting information security objectives;

  • C) includes a commitment to satisfy applicable requirements related to information security;

  • D) includes a commitment to continual improvement of the information security management system.

  • Is the information security policy:

  • 1) available as documented information;

  • 2) communicated within the company;

  • 3) Available to interested parties, as/where appropriate.

  • Is clause 5.2 considered compliant

5.3 Organizational roles, responsibilities and authorities

  • Does "top management " ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization.

  • Have "top management" assigned the responsibility and authority for: ensuring that the information security management system conforms to the requirements of ISO 27001:2022

  • Have "top management" assigned the responsibility and authority for: reporting on the performance of the information security management system to top management.

  • Is clause 5.3 considered compliant

6 Planning

6.1 Actions to address risks and opportunities

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • 6.1.1 General - When planning for the information security management system, has the client considered the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

  • A) Ensured the information security management system can achieve its intended outcome(s);

  • B) prevent, or reduce, undesired effects;

  • C) Achieve continual improvement.

  • Can the client demonstrate that they have planned:

  • D) Actions to address these risks and opportunities;

  • E) Can the client demonstrate how

  • 1) They integrate and implement the actions into its information security management system processes;

  • 2) They evaluate the effectiveness of these actions.

  • Can the client able to produce certificates of insurance that could mitigate or minimise risk to their business

  • Is clause 6.1.1 considered compliant

6.1.2 Information security risk assessment

  • Can the client define and apply an information security risk assessment process that:

  • A) establishes and maintains information security risk criteria that include:

  • 1) the risk acceptance criteria;

  • 2) criteria for performing information security risk assessments;

  • B) ensures that repeated information security risk assessments produce consistent, valid and comparable results;

  • C) identifies information security risks that:

  • 1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system;

  • 2) identify the risk owners;

  • D) analyses the information security risks via the following:

  • 1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;

  • 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1);

  • 3) determine the levels of risk;

  • E) evaluates the information security risks by the following

  • 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a);

  • 2) prioritize the analysed risks for risk treatment.

  • Has the client retain documented information about the information security risk assessment - ask for copies

  • Is clause 6.1.2 considered compliant

6.1.3 Information security risk treatment

  • Can the client demonstrate that they have defined and applied an information security risk treatment process to:

  • A) select appropriate information security risk treatment options, taking account of the risk assessment results;

  • B) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;

  • C) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;

  • D) produce a Statement of Applicability that contains: * the necessary controls (see 6.1.3 b) and c)); * justification for their inclusion; * whether the necessary controls are implemented or not; * the justification for excluding any of the Annex A controls.

  • Does the SoA include any additional controls such as certification to NIST, Cyber essentials etc or certification to any other ISOP standard

  • Ask for a copy of the clients S.o.A. - THIS IS REQUIRED TO BE CHECKED SEPERATLY AGAINST CONTROLS up load as media attachment if possible, if not then retain a paper or electronic copy in the client file

  • E) formulate an information security risk treatment plan;

  • F) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.

  • Can the client demonstrate that they have retained documented information about the information security risk treatment process.

  • Is clause 6.1.2 considered compliant

6.2 Information security objectives and planning to achieve them

  • Can the client demonstrate that they have established information security objectives at relevant functions and levels.

  • Do / Are the information security objectives:

  • A) consistent with the information security policy;

  • B) measurable (if practicable);

  • C) take into account applicable information security requirements, and results from risk assessment and risk treatment;

  • D) monitored

  • E) communicated;

  • F) updated as appropriate;

  • G) available as documented information.

  • When planning how to achieve its information security objectives, can the client demonstrate that they have determined via:

  • 1) what will be done;

  • 2) what resources will be required;

  • 3) who will be responsible;

  • 4) when it will be completed;

  • 5) how the results will be evaluated.

  • Is clause 6.2 considered compliant

6.3 Planning of changes

  • When the client determines the need for changes to the information security management do they have a process for the planning of those changes

  • Is clause 6.3 considered compliant

Statement of Applicability

  • compare the controls determined in 6.1.3 b with those in Annex A and verify that no necessary controls have been omitted;
    NOTE 2 Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.
    NOTE 3 The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.

  • Auditors are required to add evidential text of the control in the respective questions below

  • Is section 5 of the clients SoA being considered at this audit (refer to Audit Plan and 3yr audit cycle)

  • 5.1 Policies for information security

  • Provide details of the following Control<br>Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

  • 5.2 Information security roles and responsibilities

  • Provide details of the following Control<br>Information security roles and responsibilities shall be defined and allocated according to the organization needs.

  • 5.3 Segregation of duties

  • Provide details of the following Control<br>Conflicting duties and conflicting areas of responsibility shall be segregated.

  • 5.4 Management responsibilities

  • Provide details of the following Control<br>Management shall require all personnel to apply information security in accordance with the established information security policy, topic- specific policies and procedures of the organization.

  • 5.5 Contact with authorities

  • Provide details of the following Control<br>The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

  • 5.6 Contact with special interest groups

  • Provide details of the following Control<br>The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

  • 5.7 Threat intelligence

  • Provide details of the following Control<br>Information relating to information security threats shall be collected<br>and analysed to produce threat intelligence.

  • 5.8 Information security in project management

  • Provide details of the following Control<br>Information security shall be integrated into project management.

  • 5.9 Inventory of information and other associated assets

  • Provide details of the following Control<br>An inventory of information and other associated assets, including owners, shall be developed and maintained.

  • 5.10 Acceptable use of information and other associated assets

  • Provide details of the following Control<br>Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

  • 5.11 Return of assets

  • Provide details of the following Control<br>Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

  • 5.12 Classification of information

  • Provide details of the following Control<br>Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

  • 5.13 Labelling of information

  • Provide details of the following Control<br>An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

  • 5.14 Information transfer

  • Control<br>Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

  • 5.15 Access control

  • Control<br>Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

  • 5.16 Identity management

  • Control<br>The full life cycle of identities shall be managed.

  • 5.17 Authentication information

  • Control<br>Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.

  • 5.18 Access rights

  • Control<br>Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

  • 5.19 Information security in supplier relationships

  • Control<br>Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

  • 5.20 Addressing information security within supplier agreements

  • Control<br>Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

  • 5.21 Managing information security in the information and communication technology (ICT) supply chain

  • Provide details of the following Control<br>Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

  • 5.22 Monitoring, review and change management of supplier services

  • Provide details of the following Control<br>The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

  • 5.23 Information security for use of cloud services

  • Provide details of the following Control<br>Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

  • 5.24 Information security incident management planning and preparation

  • Provide details of the following Control<br>The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

  • 5.25 Assessment and decision on information security events

  • Provide details of the following Control<br>The organization shall assess information security events and decide if they are to be categorized as information security incidents.

  • 5.26 Response to information security incidents

  • Provide details of the following Control<br>Information security incidents shall be responded to in accordance with the documented procedures.

  • 5.27 Learning from information security incidents

  • Provide details of the following Control<br>Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.

  • 5.28 Collection of evidence

  • Provide details of the following Control<br>The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

  • 5.29 Information security during disruption

  • Provide details of the following Control<br>The organization shall plan how to maintain information security at an appropriate level during disruption.

  • 5.30 ICT readiness for business continuity

  • Provide details of the following Control<br>ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

  • 5.31 Legal, statutory, regulatory and contractual requirements

  • Provide details of the following Control<br>Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

  • 5.32 Intellectual property rights

  • Provide details of the following Control<br>The organization shall implement appropriate procedures to protect intellectual property rights.

  • 5.33 Protection of records

  • Provide details of the following Control<br>Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

  • 5.34 Privacy and protection of personal identifiable information (PII)

  • Provide details of the following Control<br>The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

  • 5.35 Independent review of information security

  • Provide details of the following Control<br>The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.

  • 5.36 Compliance with policies, rules and standards for information security

  • Provide details of the following Control<br>Compliance with the organization’s information security policy, topic- specific policies, rules and standards shall be regularly reviewed.

  • 5.37 Documented operating procedures

  • Provide details of the following Control<br>Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

  • Is section 6 of the clients SoA being considered at this audit (refer to Audit Plan and 3yr audit cycle)

  • 6.1 Screening

  • Provide details of the following Control<br>Background verification checks on all candidates to become personnel<br>shall be carried out prior to joining the organization and on an ongoing<br>basis taking into consideration applicable laws, regulations and ethics<br>and be proportional to the business requirements, the classification of<br>the information to be accessed and the perceived risks.

  • 6.2 Terms and conditions of employment

  • Provide details of the following Control<br>The employment contractual agreements shall state the personnel’s and<br>the organization’s responsibilities for information security.

  • 6.3 Information security awareness, education and training

  • Provide details of the following Control<br>Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.

  • 6.4 Disciplinary process

  • Provide details of the following Control<br>A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

  • 6.5 Responsibilities after termination or change of employment

  • Provide details of the following Control<br>Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.

  • 6.6 Confidentiality or non-disclosure agreements

  • Provide details of the following Control<br>Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

  • 6.7 Remote working

  • Provide details of the following Control<br>Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

  • 6.8 Information security event reporting

  • Provide details of the following Control<br>The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

  • Is section 7 of the clients SoA being considered at this audit (refer to Audit Plan and 3yr audit cycle)

  • 7.1 Physical security perimeters

  • Provide details of the following Control<br>Security perimeters shall be defined and used to protect areas that contain information and other associated assets.

  • 7.2 Physical entry

  • Provide details of the following Control<br>Secure areas shall be protected by appropriate entry controls and access points.

  • 7.3 Securing offices, rooms and facilities

  • Provide details of the following Control<br>Physical security for offices, rooms and facilities shall be designed and implemented.

  • 7.4 Physical security monitoring

  • Provide details of the following Control<br>Premises shall be continuously monitored for unauthorized physical access.

  • 7.5 Protecting against physical and environmental threats

  • Provide details of the following Control<br>Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.

  • 7.6 Working in secure areas

  • Provide details of the following Control<br>Security measures for working in secure areas shall be designed and implemented.

  • 7.7 Clear desk and clear screen

  • Provide details of the following Control<br>Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.

  • 7.8 Equipment siting and protection

  • Provide details of the following Control<br>Equipment shall be sited securely and protected.

  • 7.9 Security of assets off-premises

  • Provide details of the following Control<br>Off-site assets shall be protected.

  • 7.10 Storage media

  • Provide details of the following Control<br>Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

  • 7.11 Supporting utilities

  • Provide details of the following Control<br>Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

  • 7.12 Cabling security

  • Provide details of the following Control<br>Cables carrying power, data or supporting information services shall<br>be protected from interception, interference or damage.

  • 7.13 Equipment maintenance

  • Provide details of the following Control<br>Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.

  • 7.14 Secure disposal or re-use of equipment

  • Provide details of the following Control<br>Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

  • Is section 8 of the clients SoA being considered at this audit ((refer to Audit Plan and 3yr audit cycle)

  • 8.1 User end point devices

  • Provide details of the following Control<br>Information stored on, processed by or accessible via user end point devices shall be protected.

  • 8.2 Privileged access rights

  • Provide details of the following Control<br>The allocation and use of privileged access rights shall be restricted and managed.

  • 8.3 Information access restriction

  • Provide details of the following Control<br>Access to information and other associated assets shall be restricted in<br>accordance with the established topic-specific policy on access control.

  • 8.4 Access to source code

  • Provide details of the following Control<br>Read and write access to source code, development tools and software libraries shall be appropriately managed.

  • 8.5 Secure authentication

  • Provide details of the following Control<br>Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

  • 8.6 Capacity management

  • Provide details of the following Control<br>The use of resources shall be monitored and adjusted in line with current<br>and expected capacity requirements.

  • 8.7 Protection against malware

  • Provide details of the following Control<br>Protection against malware shall be implemented and supported by appropriate user awareness.

  • 8.8 Management of technical vulnerabilities

  • Provide details of the following Control<br>Information about technical vulnerabilities of information systems in<br>use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.

  • 8.9 Configuration management

  • Provide details of the following Control<br>Configurations, including security configurations, of hardware, software,<br>services and networks shall be established, documented, implemented,<br>monitored and reviewed.

  • 8.10 Information deletion

  • Provide details of the following Control<br>Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

  • 8.11 Data masking

  • Provide details of the following Control<br>Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

  • 8.12 Data leakage prevention

  • Provide details of the following Control<br>Data leakage prevention measures shall be applied to systems, networks<br>and any other devices that process, store or transmit sensitive information.

  • 8.13 Information backup

  • Provide details of the following Control<br>Backup copies of information, software and systems shall be maintained<br>and regularly tested in accordance with the agreed topic-specific policy<br>on backup.

  • 8.14 Redundancy of information processing facilities

  • Provide details of the following Control<br>Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

  • 8.15 Logging

  • Provide details of the following Control<br>Logs that record activities, exceptions, faults and other relevant events<br>shall be produced, stored, protected and analysed.

  • 8.16 Monitoring activities

  • Provide details of the following Control<br>Networks, systems and applications shall be monitored for anomalous<br>behaviour and appropriate actions taken to evaluate potential information security incidents.

  • 8.17 Clock synchronization

  • Provide details of the following Control<br>The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

  • 8.18 Use of privileged utility programs

  • Provide details of the following Control<br>The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.

  • 8.19 Installation of software on operational systems

  • Provide details of the following Control<br>Procedures and measures shall be implemented to securely manage software installation on operational systems.

  • 8.20 Networks security

  • Provide details of the following Control<br>Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.

  • 8.21 Security of network services

  • Provide details of the following Control<br>Security mechanisms, service levels and service requirements of network<br>services shall be identified, implemented and monitored.

  • 8.22 Segregation of networks

  • Provide details of the following Control<br>Groups of information services, users and information systems shall be segregated in the organization’s networks.

  • 8.23 Web filtering

  • Provide details of the following Control<br>Access to external websites shall be managed to reduce exposure to<br>malicious content.

  • 8.24 Use of cryptography

  • Provide details of the following Control<br>Rules for the effective use of cryptography, including cryptographic key<br>management, shall be defined and implemented.

  • 8.25 Secure development life cycle

  • Provide details of the following Control<br>Rules for the secure development of software and systems shall be established and applied.

  • 8.26 Application security requirements

  • Provide details of the following Control<br>Information security requirements shall be identified, specified and approved when developing or acquiring applications.

  • 8.27 Secure system architecture and engineering principles

  • Provide details of the following Control<br>Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.

  • 8.28 Secure coding

  • Provide details of the following Control<br>Secure coding principles shall be applied to software development.

  • 8.29 Security testing in development and acceptance

  • Provide details of the following Control<br>Security testing processes shall be defined and implemented in the development life cycle.

  • 8.30 Outsourced development

  • Provide details of the following Control<br>The organization shall direct, monitor and review the activities related to outsourced system development.

  • 8.31 Separation of development, test and production environments

  • Provide details of the following Control<br>Development, testing and production environments shall be separated and secured.

  • 8.32 Change management

  • Provide details of the following Control<br>Changes to information processing facilities and information systems shall be subject to change management procedures.

  • 8.33 Test information

  • Provide details of the following Control<br>Test information shall be appropriately selected, protected and managed.

  • 8.34 Protection of information systems during audit testing

  • Provide details of the following Control<br>Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.

7 Support

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • 7.1 Resources

  • Can the client demonstrate how they determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.

  • Is clause 7.1 considered compliant

7.2 Competence

  • Can the client demonstrate that they have a process to:

  • A) determine the necessary competence of person(s) doing work under its control that affects its information security performance;

  • B) ensure that these persons are competent on the basis of appropriate education, training, or experience;

  • C) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken;

  • D) retain appropriate documented information as evidence of competence.

  • Obtain evidence of training and how the training is documented

  • Is clause 7.2 considered compliant

7.3 Awareness

  • Does the client ensure that Persons undertaking work under their control are aware of:

  • A) the information security policy;

  • B) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance;

  • C) the implications of not conforming with the information security management system requirements

  • Is clause 7.3 considered compliant

7.4 Communication

  • Can the client demonstrate how they have determined the need for internal and external communications relevant to the information security management system including:

  • A) on what to communicate;

  • B) when to communicate;

  • C) with whom to communicate;

  • D) how to communicate.

  • Is clause 7.4 considered compliant

7.5 Documented information

  • 7.5.1 Does the clients information security management system include:

  • A) documented information required by ISO 27001: 2022

  • B) documented information determined by the client as being necessary for the effectiveness of the information security management system.

  • Is clause 7.5.1 considered compliant

7.5.2 Creating and updating

  • When creating and updating documented information does the client ensure appropriate document control by the following

  • A) identification and description (e.g. a title, date, author, or reference number);

  • B) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);

  • C) review and approval for suitability and adequacy.

  • Is clause 7.5.2 considered compliant

7.5.3 Control of documented information

  • Documented information required by the information security management system and by ISO 27001: 2022 shall be controlled to ensure:

  • A) it is available and suitable for use, where and when it is needed;

  • it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

  • For the control of documented information, does the client address the following activities, as applicable

  • C) distribution, access, retrieval and use;

  • D) storage and preservation, including the preservation of legibility;

  • E) control of changes (e.g. version control);

  • F) retention and disposition.

  • 1) Is documented information of external origin, determined by the client to be necessary for the planning and operation of the information security management system identified as appropriate, and controlled.

  • Is clause 7.5 considered compliant

8 Operation

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • 8.1 Operational planning and control

  • Can the client demonstrate how they plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, via:

  • 1) establishing criteria for the processes;

  • 2) implementing control of the processes in accordance with the criteria.

  • 3) Is Documented information available to the extent necessary to have confidence that the processes have been carried out as planned.

  • 4) Can the client demonstrate how it controls planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

  • Can the client demonstrate how they ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.

  • Is clause 8.1 considered compliant

8.2 Information security risk assessment

  • Can the client demonstrate how they perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).

  • Does the client retain documented information of the results of the information security risk assessments.

  • is clause 8.2 considered compliant

8.3 Information security risk treatment

  • Can the client demonstrate how they implement the information security risk treatment plan.

  • Can the client demonstrate how they retain documented information of the results of the information security risk treatment.

  • Is clause 8.3 considered compliant

9 Performance evaluation

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

9.1 performance evaluation

  • Can the client demonstrate how they have determined the following:

  • A) what needs to be monitored and measured, including information security processes and controls;

  • B) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid;

  • C) when the monitoring and measuring shall be performed;

  • D) who shall monitor and measure;

  • E) when the results from monitoring and measurement shall be analysed and evaluated;

  • F) who shall analyse and evaluate these results.

  • Is documented information available as evidence of the results.

  • Can the client demonstrate how they evaluate the information security performance and the effectiveness of the information security management system.

  • Is clause 9.1 considered compliant

9.2 Internal audit

  • 9.2.1 General

  • Can the client provide evidence to show they conduct internal audits at planned intervals to provide information on whether the information security management system by the following

  • A) conforms to

  • 1) the clients own requirements for its information security management system;

  • 2) the requirements of ISO 27001: 2022

  • B) is effectively implemented and maintained.

  • is clause 9.2.1 considered compliant

9.2.2 Internal audit programme

  • Can the client demonstrate how they have planed, established , implemented and maintained an audit programme (s), including the frequency, methods, responsibilities, planning requirements and reporting.

  • When establishing the internal audit programme(s), the client shall consider the importance of the processes concerned and the results of previous audits, can the client demonstrate how they ensure this.

  • Can the client provide evidence to show that they ensure the following:

  • A) define the audit criteria and scope for each audit;

  • B) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

  • C) ensure that the results of the audits are reported to relevant management;

  • Is documented information available as evidence of the implementation of the audit programme(s) and the audit results.

  • Is clause 9.2.2 considered comp-liant

9.3 Management review

  • 9.3.1 General

  • Can the top management demonstrate how they review the companies information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

  • Is clause 9.3.1 considered compliant

9.3.2 Management review inputs

  • Can the client demonstrate that the management review includes consideration of the following

  • A) the status of actions from previous management reviews;

  • B) changes in external and internal issues that are relevant to the information security management system;

  • C) changes in needs and expectations of interested parties that are relevant to the information security management system;

  • D) feedback on the information security performance, including trends in the following

  • 1) nonconformities and corrective actions;

  • 2) monitoring and measurement results;

  • 3) audit results;

  • 4) fulfilment of information security objectives;

  • E) feedback from interested parties;

  • F) results of risk assessment and status of risk treatment plan;

  • G) opportunities for continual improvement.

  • Is clause 9.3.2 considered compliant

9.3.3 Management review results

  • Do the results of the management review include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

  • Can the client provide documented information as evidence of the results of management reviews.

  • Is clause 9.3.3 considered compliant

10 Improvement

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • 10.1 Continual improvement

  • Can the client provide evidence of how they have continually improved the suitability, adequacy and effectiveness of the information security management system.

  • Is clause 10.1 considered compliant

10.2 Nonconformity and corrective action

  • When a non-conformity occurs can the client demonstrate how they undertake the following

  • A) react to the nonconformity, and as applicable:

  • 1) take action to control and correct it;

  • 2) deal with the consequences;

  • B) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:

  • 1) reviewing the nonconformity;

  • 2) determining the causes of the nonconformity;

  • 3) determining if similar nonconformities exist, or could potentially occur;

  • C) implement any action needed;

  • D) review the effectiveness of any corrective action taken;

  • E) make changes to the information security management system (if necessary).

  • Corrective actions shall be appropriate to the effects of the nonconformities encountered. Documented information shall be available as evidence of:

  • F) the nature of the nonconformities and any subsequent actions taken,

  • G) the results of any corrective action.

  • Is clause 10.2 considered compliant

Mandatory Documentation

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • ISO 27001: 2022 requires the following documents, indicate if they are available, if possible obtain copies and include them in the clients file

  • 10.1 Continual improvement

  • Scope of the ISMS Clause 4.3 ISMS Scope document

  • Information security policy Clause 5.2 Information Security Policy

  • Risk assessment and risk treatment process Clause 6.1.2 Risk Assessment and Treatment Methodology

  • Statement of Applicability Clause 6.1.3 d) Statement of Applicability

  • Risk treatment plan Clauses 6.1.3 e, 6.2, and 8.3 Risk Treatment Plan

  • Information security objectives Clause 6.2 List of Security Objectives

  • Risk assessment and treatment report Clauses 8.2 and 8.3 Risk Assessment & Treatment Report

  • The following controls are documents required within the Statement of Applicability indicate if they are available, if possible obtain copies and include them in the clients file

  • Inventory of assets Control A.5.9* Inventory of Assets, or List of Assets in the Risk Register

  • Acceptable use of assets Control A.5.10* IT Security Policy

  • Incident response procedure Control A.5.26* Incident Management Procedure

  • Statutory, regulatory, and contractual requirements Control A.5.31* List of Legal, Regulatory, and Contractual Requirements

  • Security operating procedures for IT management Control A.5.37* Security Procedures for IT Department

  • Definition of security roles and responsibilities Controls A.6.2 and A.6.6* Agreements, NDAs, and specifying responsibilities in each security policy and procedure

  • Definition of security configurations Control A.8.9* Security Procedures for IT Department

  • Secure system engineering principles Control A.8.27* Secure Development Policy

Mandatory records

  • The following records should be viewed, collect random sample evidence

  • Trainings, skills, experience, and qualifications Clause 7.2 Training certificates and CVs

  • Monitoring and measurement results Clause 9.1 Measurement Report

  • Internal audit program Clause 9.2 Internal Audit Program

  • Results of internal audits Clause 9.2 Internal Audit Report

  • Results of the management review Clause 9.3 Management Review Minutes

  • Results of corrective actions Clause 10.2 Corrective Action Form

records of the following controls within the SoA , if possible obtain copies and include them in the clients file

  • Logs of user activities, exceptions, and security events Control A.8.15* Automatic logs in information systems

Closing Meeting and Recomendations

  • ** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable

  • Can it be verified that the client is using the correct version of the ACCS / UKAS logo and is it being displayed correctly

  • Closing Meeting

  • The closing meting was attended by (name & position) :

  • Introductions <br>• Thank the organisation for their assistance, co-operation and hospitality <br>• Deal with any issues of confidentiality <br>• Emphasise that the auditing process can only sample the Data Protection System at a particular moment in time <br>• Ask the management team to defer any questions until after the findings have been presented

  • Presentation of Findings <br>Presentation of the detailed findings which involves: <br>• Confirmation of each non-compliance found and areas seen of good practices<br>• Agreement to suitable corrective action for each non-compliance <br>• Indication of timescales for completion of corrective action <br>• Ask other members of the Audit Team to report if appropriate <br>• Presentation of an Audit summary including a judgement of the level of Data Protection compliance achieved by the organisation <br>• Invite questions for clarification and provide immediate answers wherever possible

Recommendations

  • Confirm that the Auditors recommendations may not be the final outcome of the audit and that the audit report will be subject to review by an ACCS audit reviewer

  • Is certification / continued certification / recertification recommended

Post Audit Activities

  • Post Audit Reporting <br>• Explain to the management team the nature of summary report they will receive, e.g. Compliance Audit Report together with associated Non-compliance Reports etc. <br>• Establish the organisations requirements for distribution of the summary report

  • If required - Audit Follow-up <br>• Agree the nature of any required follow-up visit, e.g. documentation check, partial re-audit or full re-audit <br>• Arranging the timescale for any required follow-up visit

  • Ensure a copy of Audit plan for THIS audit is attached onto your downloaded Word document before sending a copy to admin

  • Ensure a copy of the 3 year audit cycle plan is attached to your downloaded word document before sending a copy to admin

  • Ensure a copy of Audit plan for the NEXT audit is attached onto your downloaded Word document and that it includes the required elements of the 3 year audit cycle plan before sending a copy to admin

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.