Information
-
Audit Title
-
Document No.
-
Client / Site
-
Conducted on
-
Prepared by
-
Location
-
Personnel
-
Insert company logo
Scope
-
Enter the scope
Opening meeting
-
List of attendees of opening meeting and their roles
-
Are there any Health & Safety issues that might affect the conduct of the audit?
-
Overview of the company
Review of previous audit findings
-
Describe the findings and indicate if they have been addressed and in what way
Key themes
-
Identify key themes
INFORMATION SECURITY MANAGEMENT SYSTEM
-
ISMS Policy
-
Does the ISMS policy include a framework for setting objectives?
-
Take into account legal and regulatory requirements?
-
Establish criteria against which risk will be evaluated?
-
Been approved by management?
-
Record the date the ISMS policy was last updated
Risk Assessments
-
Has the risk assessment methodology been defined
-
Describe how risks are identified, analysed, evaluated and treated
-
Record the date the Risk Assessment was last updated
Statement of Applicability
-
Have control objectives and controls been defined, selected, implemented or justification for their exclusion been documented.
-
Record the date the SoA was last updated
Operating the ISMS
-
How is the effectiveness of controls measured to ensure consistent and reproducible results?
-
Is there a log of actions and events which impact upon the effectiveness of the ISMS? Give examples of records seen
-
Is there evidence of any improvements to the ISMS?
-
Is there a documented Control of Documents procedure?
-
Is there Control of Records Procedure? <br>Are records protected and controlled? <br>Have the controls required to identify, store, protect, retrieve, retain, and dispose of records been documented?
MANAGEMENT RESPONSIBILITY
-
Is there evidence that sufficient resources have been provided to adequately monitor, review, maintain and improve the ISMS?
-
Is there a training and awareness programme? Give examples of records seen to demonstrate this.
-
How is the effectiveness of any training given evaluated?
INTERNAL ISMS AUDITS
-
Have Internal ISMS audits been conducted and is there evidence that they have been planned?
-
Give dates and examples of audits conducted
MANAGEMENT REVIEW OF THE ISMS
-
Have management reviews of the ISMS been conducted and recorded?
-
Give details of the inputs and outputs
-
Give the date of the latest management review
ISMS IMPROVEMENT
-
Are there any records of non-conformities? If yes how have these been addressed and what evidence was seen?
-
Is there any evidence of preventive action taken to identify potential non-conformities, and evaluation of the need for action? Give examples
Closing meeting
-
List of attendees of closing meeting and their roles
Major non-conformances
-
List any MAJOR non-conformances
-
❌I regret to inform you that on this occasion I am unable to recommend your certification
Minor non-Conformances
-
List all MINOR non-conformances
Observations and opportunities for improvemement
-
List any observations or opportunities for improvement
-
I am pleased to be able to tell you that you have met the requirements of the standard and I will therefore be recommending your certification
-
Sign off the audit
