User
How to structure the internal audit checklist?
Experta
A simple ISMS internal audit checklist or questionnaire might have the following columns:
1. ISO 27001 clause or control reference - unique identification of the clause or control of the standard against which the auditor needs to assess compliance.
2. The requirement - briefly states what is expected and hence what has to be checked.
3. Status - whether the organization is compliant or not.
4. Finding - summary of what the auditor has found, referring to supporting evidence held in the audit file such as copies of procedures, interview notes, printouts, etc.
Columns 1 and 2 are filled as part of the preparation phase, between audit scoping and fieldwork. Columns 3 and 4 are completed during the fieldwork to record the findings.
Examples:
An example of one row in an Internal audit checklist related to backups:
1. Clause: A.8.13 Information backup
2. Requirement: Backup Policy requires backups to be performed every 6 hours.
3. Status: Not compliant.
4. Finding: The backup log (doc #3) shows backups are taken daily and only during weekdays, although work continues and information arrives 24x7.