Document ID: ISMS-AUD-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager
Purpose and Scope
This document defines the internal audit programme and provides checklist resources for conducting ISMS internal audits at [Organisation Name] in accordance with ISO/IEC 27001:2022 Clause 9.2.
Internal audits provide independent assurance that the ISMS is implemented as intended, operating effectively, and conforming to the requirements of ISO/IEC 27001:2022 and organisational policies. Audit findings drive corrective actions and continual improvement.
The audit programme covers all clauses of ISO/IEC 27001:2022 (Clauses 4–10) and a representative sample of Annex A controls across all four themes. Full scope coverage is achieved over the 3-year audit cycle.
1. Audit Programme — 3-Year Rolling Plan
| Audit ID | Period | Planned Dates | Scope | Lead Auditor | Status |
|---|
| 2026-01 | Q1 2026 | March 2026 | Clauses 4–7 (Context, Leadership, Planning, Support); Theme 5 Organisational Controls sample (5.1–5.10, 5.19–5.22, 5.24–5.28) | [Internal Auditor Name] | Planned |
| 2026-02 | Q3 2026 | September 2026 | Clauses 8–10 (Operations, Performance Evaluation, Improvement); Theme 6 People Controls (6.1–6.8); Theme 7 Physical Controls (7.1–7.14) | [Internal Auditor Name] | Planned |
| 2027-01 | Q1 2027 | March 2027 | Full scope audit — all clauses (4–10) and representative sample of all 93 Annex A controls; preparation for certification | [External Auditor — Certification Body] | Planned |
| 2027-02 | Q3 2027 | September 2027 | Clauses 6–8 focus; Theme 8 Technological Controls (8.1–8.34); follow-up on previous findings | [Internal Auditor Name] | Planned |
| 2028-01 | Q1 2028 | March 2028 | Surveillance / recertification audit (certification body); full scope | [External Auditor — Certification Body] | Planned |
Audit Frequency Note: ISO/IEC 27001:2022 requires that internal audits are conducted at planned intervals. The organisation targets two internal audits per year to ensure all areas receive coverage within the 3-year certification cycle. Additional unplanned audits may be triggered by significant incidents, major organisational changes, or CISO direction.
2. Auditor Independence
Auditors must not audit processes or systems for which they have operational responsibility. The following independence rules apply:
- The ISM may not audit ISMS processes they directly operate; those processes are audited by the CISO or an external auditor.
- The IT Manager may not audit IT controls they personally configured or manage.
- Where internal independence cannot be achieved, an external auditor must be engaged for that scope item.
- Auditors must declare any conflict of interest before accepting an audit assignment.
3. Clause-by-Clause Audit Checklist
Clause 4 — Context of the Organisation
| # | Audit Question | Evidence to Request |
|---|
| 4.1 | Has the organisation documented and reviewed internal and external issues that are relevant to the ISMS? When was this last reviewed? | ISMS context analysis document; management review minutes showing context review |
| 4.2 | Have interested parties been identified? Are their requirements understood and documented? | Interested parties register or equivalent section in ISMS scope document |
| 4.3 | Is the ISMS Scope document current, formally approved, and accessible? Does it clearly state what is included and excluded with justifications? | ISMS Scope document (ISMS-SCOPE-001) with approval signature and date |
| 4.4 | Is there evidence that the organisation has established, implemented, maintained, and continually improved an ISMS that addresses the determined scope? | ISMS documentation set; audit history; management review records |
Clause 5 — Leadership
| # | Audit Question | Evidence to Request |
|---|
| 5.1 | Can Top Management demonstrate knowledge of the ISMS and its objectives? Do they understand the risk appetite? | Interview with CEO/Board member; management review minutes |
| 5.2 | Is the Information Security Policy approved by Top Management? Does it include objectives, scope, and a commitment to continual improvement? | Policy document with approval signature and date |
| 5.3 | Are information security roles and responsibilities formally assigned and communicated? Is there an organisational chart reflecting security roles? | Roles and Responsibilities document; org chart; job descriptions |
| 5.4 | Is there evidence that Top Management has allocated adequate resources for the ISMS? | Budget approval records; headcount; tool procurement decisions |
| 5.5 | Does the CISO report to Top Management on ISMS performance? At what frequency? | Management review minutes; CISO board reports |
Clause 6 — Planning
| # | Audit Question | Evidence to Request |
|---|
| 6.1 | Is there a documented risk assessment methodology? Is it consistently applied across all assessments? | Risk Assessment Methodology (ISMS-METH-001); multiple risk assessments showing consistent approach |
| 6.2 | Is the risk register current? Has it been formally reviewed in the last 12 months? Are all risks assigned to named owners? | Risk register (ISMS-RISK-001) with review date and owner signatures |
| 6.3 | Does the Statement of Applicability include all 93 Annex A controls with justified inclusion/exclusion decisions? | SoA (ISMS-SOA-001) with completion date |
| 6.4 | Are information security objectives defined, measurable, and communicated? Is there a record of progress against objectives? | Objectives register; KPI dashboard; management review minutes |
| 6.5 | Is there a documented risk treatment plan for High and Critical risks? Are treatment actions tracked to completion? | Risk Treatment Plan (ISMS-RTP-001); corrective action evidence |
Clause 7 — Support
| # | Audit Question | Evidence to Request |
|---|
| 7.1 | Has the organisation identified the competency requirements for personnel involved in ISMS activities? Is competency assessed? | Competency requirements documentation; training needs analysis |
| 7.2 | Are all ISMS-relevant personnel aware of: the Information Security Policy; their contribution to ISMS effectiveness; implications of non-conformance? | Training records; policy acknowledgement sign-offs; awareness programme content |
| 7.3 | Is there a documented and delivered security awareness training programme? Are completion rates tracked? | Training completion records; training content; evidence of non-completion follow-up |
| 7.4 | Is ISMS documentation controlled? Is there a document control process ensuring documents are reviewed, approved, versioned, and accessible? | Document register; version history on policies; approval signatures; distribution records |
| 7.5 | Are ISMS records retained for appropriate periods and protected from loss or unauthorised modification? | Retention schedule; record storage locations; access controls on records |
Clause 8 — Operation
| # | Audit Question | Evidence to Request |
|---|
| 8.1 | Are risk assessments conducted before significant changes to systems, services, or processes? | Change management records; risk assessment evidence linked to project approval |
| 8.2 | Is there evidence that the risk treatment plan is being implemented per agreed timelines? How are delays managed? | Risk treatment plan status; corrective actions for overdue items |
| 8.3 | Are operational security procedures documented and accessible to relevant staff? Are they followed in practice? | Sample of operational procedures; observation or interview to confirm awareness |
| 8.4 | Is there evidence that outsourced processes are controlled? Are supplier security obligations monitored? | Supplier register; Tier 1 supplier review records; contract security clauses |
| 8.5 | Is change management applied consistently? Are security implications reviewed for each change? | Change log; change approval records; security sign-off on changes |
| # | Audit Question | Evidence to Request |
|---|
| 9.1 | Are information security KPIs defined? Are they measured and reported to management at regular intervals? | KPI dashboard; frequency of reporting; recipients |
| 9.2 | Are internal audits conducted per the approved audit programme? Are audit reports produced? | Audit programme; completed audit reports; evidence of independence |
| 9.3 | Is there evidence of a Management Review conducted with all required inputs (Clause 9.3 list)? Is there a record of decisions and actions? | Management review minutes; attendance record; actions tracker |
| 9.4 | Are monitoring and measurement results analysed to identify trends? Is there evidence that results drive decisions? | KPI trend analysis; management review discussion of results |
Clause 10 — Improvement
| # | Audit Question | Evidence to Request |
|---|
| 10.1 | Is there a nonconformity register? Are NCs classified by severity? Are corrective actions tracked to closure? | NC register; CA register; closed NC evidence |
| 10.2 | Is root cause analysis conducted for nonconformities? Is the action addressing the root cause (not just the symptom)? | RCA worksheets; corrective action descriptions |
| 10.3 | Is there evidence of continual improvement beyond just corrective actions? (e.g., proactive improvements, process automation) | Improvement log or equivalent; management review improvement agenda item |
| 10.4 | Are corrective action effectiveness reviews conducted? How does the organisation confirm actions have worked? | Effectiveness review records; closed NC evidence with verification signature |
4. Annex A Controls Sample Checklist
Theme 5 — Organisational Controls (sample)
| # | Audit Question | Evidence to Request |
|---|
| 5.1 | Is the Information Security Policy communicated to all staff? Can a sample of staff articulate the key principles? | Communication records; policy acknowledgement signatures; staff interviews |
| 5.7 | Are threat intelligence sources used? How does threat intelligence feed into the risk assessment process? | Threat intel subscription records; risk register updates linked to threat intel |
| 5.24 | Is there a documented incident response plan? Is it tested? Do all relevant staff know how to report an incident? | Incident Response Policy; test exercise records; staff awareness interviews |
| 5.19 | Is the supplier register current? Do Tier 1 suppliers have current security assessments? | Supplier register with review dates; Tier 1 assessment evidence |
| 5.15 | Is access to information assets controlled? Is there evidence of access provisioning and review processes? | Access request records; access review reports; access register |
Theme 6 — People Controls
| # | Audit Question | Evidence to Request |
|---|
| 6.1 | Are background checks conducted before employment? What is the scope of the check (criminal record, identity, references)? | HR screening policy; sample background check confirmations (anonymised) |
| 6.3 | Is security awareness training delivered at induction? Is annual refresher training completed by all staff? | Training records; induction checklist; training completion report |
| 6.7 | Are specific security controls in place for remote workers? Are they documented and communicated? | Remote working policy; evidence of VPN enforcement; MDM enrolment records |
| 6.8 | Is there a clear process for reporting security events? Is a no-blame culture actively promoted? | Reporting procedure; incident register showing low-severity reports from staff (indicator of culture) |
Theme 7 — Physical Controls
| # | Audit Question | Evidence to Request |
|---|
| 7.2 | Is access to restricted areas controlled? Are access logs reviewed? Is the access list current? | Access log export; access list review record; most recent quarterly review sign-off |
| 7.3 | Is visitor management in place with logs retained? Can the auditor observe the visitor management process? | Visitor log (last 3 months); visitor management procedure; observation of sign-in process |
| 7.7 | Is clear desk/clear screen compliance checked? When was the last spot check conducted? | Clear desk check log; policy acknowledgement; observation during audit |
| 7.14 | Is there a documented and followed equipment disposal procedure? Are disposal certificates retained? | Disposal log; certificates of destruction; Asset Inventory showing disposed items |
Theme 8 — Technological Controls
| # | Audit Question | Evidence to Request |
|---|
| 8.5 | Is MFA enforced on all critical systems? Are there any exemptions? How are exemptions managed? | Entra ID / Azure AD Conditional Access policy report; MFA enforcement report; exceptions register |
| 8.8 | Is vulnerability scanning conducted? What is the patch SLA? Is compliance with the SLA measured and reported? | Vulnerability scan reports; patch compliance dashboard; evidence of SLA adherence or breach |
| 8.13 | Are backups conducted per the backup policy? Are restore tests performed? Is there evidence of restore test results? | Backup job logs; restore test logs; backup monitoring alert configuration |
| 8.15 | Are logs collected from all critical systems? Are they centralised in the SIEM? What is the retention period? | SIEM source list; log retention configuration; sample query demonstrating log availability |
| 8.22 | Is network segmentation in place? Are critical networks (server, lab, corporate, guest) separated? | Network diagram; firewall ruleset; VLAN configuration |
5. Audit Findings Template
| Field | Response |
|---|
| Finding ID | [e.g., 2026-01-F01] |
| Audit | [e.g., Internal Audit 2026-01] |
| Clause / Control | [e.g., Clause 9.2 / 5.18] |
| Finding Type | Nonconformity (Major) / Nonconformity (Minor) / Observation / Opportunity for Improvement |
| Description | [Clear, factual description of what was found; avoid opinion; stick to evidence] |
| Evidence Reviewed | [What documents, records, screenshots, or interviews support the finding] |
| Root Cause (if known) | [Immediate root cause assessment; full RCA to be completed in CA process] |
| Required Action | [What must be done to address the finding] |
| Due Date | [Target date for corrective action; Major NC: 90 days; Minor NC: per agreed plan] |
| Status | Open / In Progress / Closed |
Example Findings:
| Finding ID | Clause / Control | Finding Type | Description | Evidence Reviewed | Required Action | Due Date | Status |
|---|
| 2026-01-F01 | Clause 9.2 | Nonconformity (Minor) | No evidence that an internal audit was conducted in 2025 despite the ISMS requirement. The audit programme document was created in March 2026 but contains no evidence of completion for the preceding year. | Audit programme reviewed; no 2025 audit report found in document management system; ISM confirmed no audit conducted | Conduct an audit covering the areas that should have been covered in 2025; update audit programme to prevent recurrence; consider root cause for why audit was not conducted | 2026-06-30 | Open |
| 2026-01-F02 | 5.18 (Access Rights) | Nonconformity (Minor) | Finance system access review last conducted in March 2024. The Access Control Policy requires quarterly reviews for Confidential-rated systems. | Access review log showing March 2024 as the most recent review; Finance system classified as Confidential in Asset Inventory; Access Control Policy Section 3 requiring quarterly review | Conduct overdue finance system access review immediately; remove any inappropriate access discovered; schedule quarterly reviews in IT calendar with automated reminders | 2026-04-30 | Open |
| 2026-01-F03 | 5.19 (Supplier Security) | Observation | Tier 2 supplier (recruitment platform) has no record of a security questionnaire or review. The Supplier Security Policy requires biennial reviews for Tier 2 suppliers. The supplier holds CVs and personal data of applicants. | Supplier register; no review record for the recruitment platform despite registration in 2023 | Schedule and complete Tier 2 supplier security questionnaire; document findings in supplier register | 2026-05-31 | Open |
6. Audit Report Template Structure
Each completed audit must produce a formal report containing:
- Executive Summary — brief overview of scope, approach, and headline findings
- Audit Scope and Objectives — what was covered and what was not
- Audit Methodology — how the audit was conducted (document review, interviews, observation, sampling)
- Auditor Declaration of Independence — signed statement confirming no conflicts of interest
- Summary of Findings — table of all findings by type (Major NC / Minor NC / Observation / OFI)
- Detailed Findings — one section per finding using the findings template above
- Positive Observations — what is working well; not all feedback need be negative
- Recommendations — auditor recommendations beyond the formal findings
- Auditee Response — management’s formal response and acceptance of findings
- Sign-off — auditor signature, auditee signature, CISO review signature, date
7. Review History
| Version | Date | Author | Changes |
|---|
| 1.0 | March 2026 | [ISM Name] | Initial issue |