UnixTime

Research Note

A.6.3 Audit Checklist

Use this checklist during an internal audit of information security awareness, education, training, and update processes.

On this page

When to use this

Use this checklist during an internal audit of information security awareness, education, training, and update processes.

Audit checklist

  • Confirm the organization has a documented awareness and training approach.
  • Confirm training covers employees, contractors, third-party users, and relevant interested parties where applicable.
  • Confirm required training is mapped to job function and security responsibility.
  • Sample personnel records and verify induction training before work/access.
  • Sample specialist roles and verify supplementary training.
  • Check whether training material aligns with current policies and procedures.
  • Check whether trainer or external supplier competence is approved.
  • Verify records show content, date, provider, completion, and results where applicable.
  • Interview personnel to verify awareness of policy, ISMS contribution, and consequences of nonconformity.
  • Check whether training is repeated or updated after changes, incidents, audit findings, or emerging threats.
  • Check whether effectiveness metrics are reviewed and acted on.
  • Record nonconformities, observations, and improvement actions.

Findings table

Sample Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD