JDA Advisory

Audit ISO 27001 checklist

Audit ISO 27001 checklist – Prepare thoroughly for your ISO 27001 audit and protect your data.

The ISO 27001 checklist is a practical tool that supports effective audit preparation, ensuring compliance with standards and regulations – Audit ISO 27001 checklist

Audit ISO 27001 checklist – A comprehensive audit of compliance with the ISO 27001 standard.

Our checklist helps you verify all ISO 27001 requirements in detail, minimising the risk of non-compliance during an audit.

Audit ISO 27001 checklist – Support in meeting the requirements of NIS-2 and DORA.

The checklist makes it easy to monitor compliance with current regulations, which contributes to the company’s safety and operational stability.

Audit ISO 27001 checklist – Simplified implementation and improvement of management systems.

The tool helps to identify areas for improvement and to effectively implement the ISO 27001 and ISO 22301 standards.

ISO 27001:2022

Information security management in accordance with the requirements of ISO 27001, to protect your company’s data.

This checklist highlights the key areas of an ISO 27001 audit, helping organisations to prepare for and comply with information security standards.

Comprehensive ISO 27001 compliance audit

Our checklist helps you quickly identify and eliminate risks to ensure compliance with the standard and effective data protection.

Optimisation of safety processes

With our guidance, you can streamline your information security procedures, minimising vulnerabilities and strengthening your defences.

Support with the implementation of the standard

We offer practical tools and advice to help you implement ISO 27001 and improve the effectiveness of your management system.

Risk and Compliance Management

Our checklist helps you effectively monitor and manage risks, ensuring ongoing compliance with regulations and standards.

Get ready for ISO 27001 audits with our detailed checklist.

This section provides a comprehensive guide to help you prepare for ISO 27001 compliance audits.

Information security

Find out about the key requirements and practices that will ensure your data is protected.

ISO 27001:2022

Compliance with customer requirements

Find out how to meet your clients’ information security requirements

The audit process

A step-by-step guide to help you navigate every stage of the ISO 27001 audit.

ISO 19011

How does an ISO 27001 audit work?

A step-by-step guide to help you understand the ISO 27001 audit process and prepare your company to meet the highest standards of information security.

Step one: Preparing for the audit

Detailed preparation involving an analysis of the standard’s requirements and the identification of key safety areas to be assessed during the audit.

Step two: Conducting an audit

A thorough review of processes and information systems to confirm compliance with ISO 27001 and identify any gaps and risks.

Step three: Reporting and improvement

The preparation of a detailed audit report and recommendations for improvements that will help maintain and develop the information security management system.

Checklist ISO 27001:2022 Audit

A comprehensive, detailed, and ready-to-use ISO 27001 audit checklist.

Kontekst organizacji (pkt 4)

4.1 Understanding the organisation and its context
  • Has the context been linked to security risks?
  • Have internal and external factors been identified?
  • Is the context updated on a regular basis?
  • Evidence: context analysis, strategic reports, risk registers.
4.2 Stakeholders – Interested Parties
  • Is the list up to date?
  • Have the stakeholders been identified?
  • Have their information security requirements been defined?
  • Evidence: register of stakeholders, regulatory requirements.
4.3 Scope of the ISMS
  • Does the scope reflect the operational reality?
  • Is the scope clearly defined?
  • Does it cover processes, systems, locations and suppliers?
  • Evidence: scope document, process map, IT architecture.

4.4 Information Security Management System

  • Has the ISMS been established, implemented, maintained and improved?
  • Evidence: ISMS documentation, policies, procedures.

5.1 Leadership and commitment

  • Does it take part in reviews?
  • Does senior management actively support the ISMS?
  • Does it provide resources?
  • Evidence: meeting minutes, board decisions.

5.2 Information Security Policy

  • Does it reflect the security objectives?
  • Is the policy up to date, approved, and communicated?
  • Evidence: policy, internal communications.

5.3 Roles, responsibilities, and powers

  • Is there an ISMS owner?
  • Have roles been defined and assigned?
  • Evidence: RACI matrix, job descriptions, policies.

6.1 Actions relating to risks and opportunities

  • Are activities monitored?
  • Is there a risk analysis methodology in place?
  • Are risks identified, assessed and addressed?
  • Evidence: risk register, methodology, reports.

6.2 Information security objectives

  • Do they have owners and metrics?
  • Are the objectives measurable?
  • Evidence: KPIs/KRIs, dashboards.

7.1 Resources

  • Are the resources commensurate with the risks and objectives?
  • Evidence: budgets, resource plans.

7.2 Competences

  • Are training courses provided?
  • Do employees have the necessary skills?
  • Evidence: skills matrices, training records.

7.3 Awareness

  • Do employees understand the policies and their responsibilities?
  • Evidence: knowledge tests, security awareness campaigns.

7.4 Communication

  • Has internal and external communication been defined?
  • Evidence: communication plan, procedures.

7.5 ISMS documentation

  • Does version control work?
  • Are documents managed?
  • Evidence: document register, repository.

8.1 Operational planning and control

  • Are security processes defined and operational?
  • Evidence: procedures, logs, records.

8.2 Information security risk assessment

  • Is the risk analysis up to date and carried out on a regular basis?
  • Evidence: risk register, reports.

8.3 Risk management

  • Are the measures appropriate and have they been implemented?
  • Evidence: SoA, action plans.

9.1 Monitoring, measurement, analysis, and evaluation

  • Are there any KPIs/KRIs?
  • Are they reported?
  • Evidence: dashboards, reports.

9.2 Internal audit

  • Are audits planned and carried out?
  • Are corrective actions implemented?
  • Evidence: audit plan, reports, NC.

9.3 Management review

  • Is the review being carried out in accordance with the requirements?
  • Evidence: reports, decisions.

10.1 Non-conformities and corrective actions

  • Are non-conformities recorded?
  • Are the measures effective?
  • Evidence: NC register, root cause analysis.

110.2 Continuous improvement

  • Does the organisation continuously improve its ISMS?
  • Evidence: roadmaps, initiatives.

Anneks A – Security Controls – (Annex A)

A.5 – A.8 (Organisational, Human, Physical, Technical)

For each inspection:

  • Has the control been implemented?
  • Is it working effectively?
  • Is there operational evidence?
  • Is the control proportionate to the risk?

Examples of checks:

A.5.7 – Risks posed by suppliers

  • Contracts include security requirements
  • SLAs/KPIs are monitored
  • Suppliers are classified by risk
  • Evidence: contracts, supplier register, monitoring results.

A.8.16 – Activity monitoring

  • Logs are collected, correlated and analysed
  • Incidents are detected and escalated
  • Evidence: SIEM logs, SOC reports.

A.8.28 – Backup

  • Backups are performed, tested and secured
  • Evidence: backup logs, restore test reports.

Assessment statuses

  • N/A – not applicable
  • OK – compliant
  • OBS – observation
  • MINOR NC – minor non-conformity
  • MAJOR NC – major non-conformity

Start your ISO 27001 audit with our checklist today.

Use our detailed checklist to prepare for your ISO 27001 audit — ensure compliance and information security.

See details