ISO 27001

ISO 27001 Audit Checklist: What Auditors Ask For at Every Stage

11 June 20264 min read

An ISO 27001 audit checks two things: that your Information Security Management System (ISMS) meets the mandatory clauses 4 to 10 of the standard, and that the Annex A controls you declared applicable in your Statement of Applicability actually operate with evidence. This checklist covers what auditors ask for at each stage, clause by clause, so nothing surprises you in the audit room.

The Four Audits You Will Face

AuditWho performs itWhenWhat it checks
Internal auditYou, or an outsourced internal auditorBefore certification, then per your audit programmeClause 9.2 requirement; finds gaps before the certification body does
Stage 1Certification bodyStart of certificationDocumentation review: is the ISMS designed correctly?
Stage 2Certification body4 to 8 weeks after Stage 1Implementation review: does the ISMS operate with evidence?
SurveillanceCertification bodyAnnually in years 1 and 2Spot-checks that the ISMS is maintained; recertification follows in year 3

In India, certification bodies are accredited by NABCB; the major ones operating here include BSI, Bureau Veritas, TÜV SÜD, LRQA, DNV, and BIS. Combined Stage 1 and Stage 2 fees typically run ₹1.5 lakh to ₹4 lakh depending on scope, with surveillance audits at roughly ₹1 lakh to ₹2 lakh each. Our ISO 27001 guide breaks down the full India cost picture.

The Checklist, Clause by Clause

Work through this before the internal audit, and again before Stage 1.

Clause 4: Context of the Organisation

  • Internal and external issues affecting the ISMS are documented
  • Interested parties and their requirements are identified
  • ISMS scope statement exists, with justified exclusions (auditors read this first)

Clause 5: Leadership

  • Information security policy is approved, published, and communicated
  • Security roles and responsibilities are assigned and known to their owners
  • Evidence that top management reviews and resources the ISMS

Clause 6: Planning

  • Documented risk assessment methodology with criteria for likelihood, impact, and acceptance
  • Completed risk assessment covering in-scope assets
  • Risk treatment plan mapping each material risk to controls or justified acceptance
  • Statement of Applicability covering all 93 Annex A controls with justification for every exclusion
  • Measurable information security objectives with owners and target dates

Clause 7: Support

  • Competence records and security training evidence for relevant staff
  • Awareness programme evidence (onboarding material, refresher records)
  • Document control: versioning, approval, and availability of ISMS documents

Clause 8: Operation

  • Risk assessments repeated at planned intervals and after significant changes
  • Risk treatment plan implemented, with status tracked per control
  • Operational evidence per applicable control: access reviews, backup logs, incident tickets, vendor assessments

Clause 9: Performance Evaluation

  • Monitoring and measurement results against the security objectives
  • Internal audit programme and at least one completed internal audit with findings and corrective actions
  • Management review minutes covering the required inputs (audit results, incidents, risk status, improvement decisions)

Clause 10: Improvement

  • Nonconformity register with root cause analysis and corrective actions
  • Evidence that corrective actions were verified as effective, not just closed

The three most common major nonconformities at Stage 2 are an incomplete internal audit (Clause 9.2), missing management review (Clause 9.3), and a Statement of Applicability that does not match operating reality. All three are process failures, not technology failures, and all three are avoidable in the weeks before the audit.

Evidence Auditors Request Most Often

Have these retrievable in minutes, not days:

  1. ISMS scope statement and information security policy
  2. Risk assessment, risk treatment plan, and current SoA
  3. Access control records: joiner/mover/leaver tickets and quarterly access reviews
  4. Security training and awareness completion records
  5. Incident register with at least one worked example end to end
  6. Backup and restore test logs
  7. Vendor/supplier security assessments and agreements
  8. Internal audit report and management review minutes
  9. Vulnerability management records: scans, triage, remediation
  10. Change management records for production systems

Stage 1 vs Stage 2: Prepare Differently

Stage 1 is a documentation audit. The auditor checks the ISMS design: scope, policy, risk methodology, SoA, and the mandatory records. Findings here are usually "areas of concern" you must fix before Stage 2.

Stage 2 is an evidence audit. The auditor samples controls from your SoA and asks operators to demonstrate them: show me the last access review, walk me through this incident, prove this backup restored. Reading your own policies is not preparation for Stage 2; running your processes is.

Auditors sample. You cannot predict which controls they pick, so partial readiness concentrated on "likely" controls is a losing strategy. A live checklist tracking evidence status across every applicable control tells you exactly where you are exposed before the auditor finds it.

Where Vratex Fits

Vratex ships ISO 27001:2022 audit checklists with all 93 controls, weighted scoring, evidence attachment per item, and audit locking on completion, so internal audits and certification prep run from one tracked workspace instead of a spreadsheet nobody trusts.

Not sure where your organisation stands?

Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.

Check Your Readiness
What is an ISO 27001 audit checklist?+

A structured list of the requirements an auditor will verify: the mandatory clauses 4 to 10 of ISO 27001 (scope, leadership, risk assessment, support, operation, performance evaluation, improvement) plus the Annex A controls declared applicable in your Statement of Applicability.

What is the difference between Stage 1 and Stage 2 audits?+

Stage 1 reviews your ISMS documentation: scope, policies, risk assessment, and Statement of Applicability. Stage 2 verifies implementation: the auditor samples controls and asks for operating evidence such as access reviews, incident records, and backup tests. Certification is awarded after a successful Stage 2.

Is an internal audit mandatory before ISO 27001 certification?+

Yes. Clause 9.2 requires a completed internal audit, and certification bodies expect to see the report, findings, and corrective actions at Stage 2. A missing or superficial internal audit is one of the most common major nonconformities.

How often are ISO 27001 audits conducted?+

After initial certification, the certification body conducts surveillance audits annually in years 1 and 2, followed by a full recertification audit in year 3. Internal audits run on your own programme, typically at least annually.

What are the most common ISO 27001 audit nonconformities?+

Incomplete internal audits, missing or thin management reviews, Statements of Applicability that do not match reality, stale risk assessments, and access control records that cannot demonstrate joiner/mover/leaver discipline.

Not sure where your organisation stands?

Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.

Check Your DPDP Readiness