UnixTime

Research Note

ISO 27001 Auditor Guide

This guide is the audit view of the vault. It turns the ISO/IEC 27001 and Annex A notes into audit planning, evidence testing, interview questions, findings, and corrective acti...

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This guide is the audit view of the vault. It turns the ISO/IEC 27001 and Annex A notes into audit planning, evidence testing, interview questions, findings, and corrective action flow.

Use it when the question is:

  • what should the auditor verify;
  • what evidence is strong or weak;
  • what interviews should be performed;
  • how implementation claims should be challenged;
  • how findings should map back to risk, controls, and management review.

Core audit path

  1. Internal Audit Execution Guide
  2. A.5 Organizational Controls Audit Guide
  3. A.6 People Controls Audit Guide
  4. A.7 Physical Controls Audit Guide
  5. A.8 Technological Controls Audit Guide
  6. Audit Evidence Index
  7. ISO 27001 Implementer Auditor ISO 27005 Mapping
  8. A.5 Controls Implementation Audit Risk Mapping
  9. A.6 People Controls Implementation Audit Risk Mapping
  10. A.7 Physical Controls Implementation Audit Risk Mapping
  11. A.8 Technological Controls Implementation Audit Risk Mapping

Audit principle

Audit the operating ISMS, not the presence of documents. A policy without awareness, ownership, evidence, review, and corrective action is weak evidence.