Day 1: ISO 27001:2022 Audit Questionnaire (Clauses 4-10)

Focus Area: Clauses 4-10 (Full ISMS Framework)

Objective: Establish the foundation of the ISMS by auditing context, leadership, planning, support, operations, performance, and improvement.

Personnel Needed: Top management, ISMS owner, risk manager, IT lead, HR representative

Total Questions: 48 (~10 minutes each, including discussion and evidence review)

Day 1 Schedule

9:00 AM - 10:30 AM

Clause 4 + Opening Meeting

5 questions

10:30 AM - 12:30 PM

Clause 5 + Clause 6

15 questions

12:30 PM - 1:30 PM

Lunch/Break

1:30 PM - 3:00 PM

Clause 7

8 questions

3:00 PM - 4:30 PM

Clause 8 + Clause 9

13 questions

4:30 PM - 5:00 PM

Clause 10 + Wrap-Up

7 questions

Opening Meeting (30-60 minutes)

Purpose: Introduce the audit, clarify objectives, confirm logistics, and build rapport with the client team.

Attendees: Top management, ISMS owner, key stakeholders (e.g., department heads), audit coordinator.

Opening Meeting Questions/Agenda Points

  1. Introduction:
    • "Can you confirm your role and involvement in the ISMS for introductions?"
    • "Are there any recent changes to the organization or ISMS I should be aware of?"
  2. Audit Objectives:
    • "I'm here to assess your ISMS against ISO 27001:2022, starting with governance and organizational controls today. Does this align with your expectations?"
    • "Are there specific areas you'd like me to prioritize or concerns you want addressed?"
  3. Scope and Schedule:
    • "We're covering governance, policies, and roles today, as per the schedule sent. Does this work for your team?"
    • "Are the listed personnel available today, and are there any timing constraints?"
  4. Evidence and Access:
    • "I'll need policies, meeting minutes, and asset inventories today. Are these ready, and who's my point of contact for them?"
    • "Will I have access to documentation systems or need assistance retrieving records?"
  5. Process and Reporting:
    • "I'll document findings daily and share a draft report on Day 5. How would you prefer updates—daily briefings or just the final report?"
    • "Are there any confidentiality protocols I should follow for findings?"
  6. Closing:
    • "Any questions for me before we start?"
    • "Let's aim to kick off interviews in [e.g., 30 minutes]—does that work?"

Notes: Keep this conversational, take notes on responses, and confirm logistics (e.g., meeting rooms, contact person). End with a positive tone: "Looking forward to a productive week!"

Clause Questionnaires

Clause 4: Context of the Organization

4

Objective: Ensure the organization understands its context, stakeholders, and ISMS scope.

  1. What internal and external issues could affect the ISMS? Can you provide a documented analysis?
  2. Who are the interested parties (e.g., customers, regulators), and how are their information security requirements determined? Can I see a list or register?
  3. How was the scope of the ISMS defined? Can I see the documented scope statement?
  4. What processes or functions are included/excluded from the ISMS scope? How was this decision made?
  5. How do you ensure the ISMS aligns with the organization's strategic goals? Can you provide examples or documentation?

Evidence Requested: Context analysis, stakeholder register, ISMS scope document.

Overlap: Sets the stage for A.5.7 (Threat Intelligence).

Clause 5: Leadership

5

Objective: Verify top management's commitment, policy establishment, and role assignment.

  1. How does top management demonstrate leadership and commitment to the ISMS? Can you show evidence (e.g., policy approvals, resource allocation)?
  2. Is there a documented information security policy? Can I see the latest version, and who approved it?
  3. How is the security policy communicated to employees, contractors, and third parties? Can I see communication records?
  4. Does the policy align with the organization's risk appetite and business objectives? How is this ensured?
  5. Are information security roles and responsibilities clearly defined? Can I see the documentation (e.g., org chart, job descriptions)?
  6. How does management ensure the ISMS is integrated into business processes? Can you provide examples (e.g., meeting minutes)?
  7. How does leadership promote a security-aware culture? Can I see awareness campaigns or tone-from-the-top messages?

Evidence Requested: Security policy, approval records, communication logs, role assignments, meeting minutes.

Overlap: A.5.1 (Policies), A.5.2 (Roles), A.5.4 (Management Responsibilities).

Clause 6: Planning

6

Objective: Assess risk management, objectives, and planning processes.

  1. How does the organization identify and assess information security risks? Can I see the risk assessment methodology?
  2. Can you provide the latest risk assessment results? Who conducted it, and when?
  3. How are risk treatment options selected and implemented? Can I see the risk treatment plan?
  4. Who approves the risk assessment and treatment plans? Can I see evidence of sign-off?
  5. What criteria are used to accept residual risks? Can I see the risk acceptance policy or records?
  6. What are the information security objectives? Can I see the documented objectives?
  7. How are these objectives measurable, monitored, and communicated? Can I see performance records or reports?
  8. How do you plan changes to the ISMS? Can I see a change management process or recent examples?

Evidence Requested: Risk methodology, risk register, treatment plan, objectives document, change logs.

Overlap: A.5.23 (Risk Treatment), A.5.7 (Threat Intelligence).

Clause 7: Support

7

Objective: Verify resources, competence, awareness, communication, and documentation.

  1. How does management ensure adequate resources (budget, staff, tools) are allocated to the ISMS? Can I see budget approvals or staffing plans?
  2. How is the competence of personnel with security roles assessed? Can I see training records or certifications?
  3. What awareness programs are in place to educate employees about security? Can I see schedules, materials, or attendance logs?
  4. How do you ensure all staff understand their security responsibilities? Can I see evidence of communication or acknowledgment?
  5. How is internal communication about the ISMS managed? Can I see examples (e.g., emails, intranet posts)?
  6. How is external communication with stakeholders (e.g., suppliers, regulators) handled? Can I see procedures or records?
  7. What types of information are documented for the ISMS? Can I see a master list of documents?
  8. How is documentation controlled (e.g., versioning, access, protection)? Can I see document control procedures or examples?

Evidence Requested: Budget docs, training records, awareness materials, communication logs, document register.

Overlap: A.6.3 (Awareness), A.5.10 (Information Handling).

Clause 8: Operation

8

Objective: Ensure operational controls and risk management are implemented effectively.

  1. How are information security controls planned and implemented? Can I see an implementation plan or control list?
  2. How do you assess and treat risks operationally? Can I see evidence of risk reviews or control adjustments?
  3. What processes are in place to manage changes to the ISMS (e.g., new systems, policies)? Can I see change records?
  4. How are outsourced processes (e.g., IT services) identified and controlled? Can I see supplier agreements or monitoring records?
  5. How do you ensure operational consistency with the risk treatment plan? Can I see alignment evidence?

Evidence Requested: Control implementation plan, risk review records, change logs, supplier contracts.

Overlap: A.5.19 (Suppliers), A.5.23 (Risk Treatment), A.8.1 (Endpoint Devices).

Clause 9: Performance Evaluation

9

Objective: Assess monitoring, measurement, audits, and management reviews.

  1. What processes, controls, or objectives are monitored and measured? Can I see a list of KPIs or metrics?
  2. How are monitoring results analyzed and evaluated? Can I see recent performance reports?
  3. What methods are used to ensure measurement accuracy (e.g., tools, calibration)? Can I see tool configs or validation records?
  4. When was the last internal audit conducted? Can I see the audit plan, report, and findings?
  5. How are internal audit findings addressed? Can I see corrective action records?
  6. How often does top management review the ISMS? Can I see the schedule and minutes from the last review?
  7. What inputs are considered in management reviews (e.g., incidents, audits)? Can I see the agenda or supporting docs?
  8. What decisions or actions resulted from the last review? Can I see action logs or follow-ups?

Evidence Requested: KPI list, performance reports, audit docs, review minutes, action plans.

Overlap: A.5.36 (Compliance Monitoring), A.8.15 (Logging).

Clause 10: Improvement

10

Objective: Verify nonconformity management and continual improvement processes.

  1. How are nonconformities (e.g., incidents, audit findings) identified and documented? Can I see an incident log or nonconformity register?
  2. What's the process for correcting nonconformities? Can I see examples of corrective actions taken?
  3. How do you determine the root cause of nonconformities? Can I see analysis records?
  4. How are corrective actions evaluated for effectiveness? Can I see follow-up evidence?
  5. What improvements have been made to the ISMS recently? Can I see documentation of changes or initiatives?
  6. How do you ensure continual improvement is systematic? Can I see a process or policy for this?
  7. Are opportunities for improvement identified proactively? Can I see examples (e.g., feedback logs, risk reviews)?

Evidence Requested: Incident logs, corrective action records, improvement plans, process docs.

Overlap: A.5.26 (Incident Response), A.5.27 (Learning from Incidents).

Execution Plan for Day 1

Tips for Day 1