Internal Audit Checklist
ISO/IEC 27701 Toolkit: Version 2
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This is a checklist to be used as a prompter for questions during an internal audit.
Areas of the standard addressed
The main areas of the ISO/IEC 27701 standard addressed by this document are:
• 9. Performance evaluation
o 9.2 Internal audit
▪ 9.2.2 Internal audit programme
General guidance
When conducting an internal audit, it can be useful to have a list of standard questions to ask, organized according to the sections of the ISO/IEC 27701 standard. This makes the audit more interesting than simply reading the requirements from a spreadsheet. It’s possible that any one audit will not cover all parts of the standard so you may need to edit this checklist to cover the areas you need. You may also like to add further questions to the lists, depending on the type of organization you are auditing.
At each stage, it is important that evidence is reviewed and recorded to prove that procedures etc. are in place.
Review frequency
We would recommend that this document is reviewed annually.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
• Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
• Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
• Press F9 on the keyboard to update all fields.
• When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Audit details
Audit:
Audit scope:
Auditors:
Internal Audit Checklist
Audit date:
Clause 4 Context of the organization
Clause 4.1 Understanding the organization and its context
RECOMMENDED QUESTIONS
1. For which processing of PII does the organization act as a controller, joint controller, or processor?
2. What external and internal issues are relevant to the PIMS?
3. How do they affect its ability to achieve its intended outcome?
4. Has climate change been considered as an issue?
Clause 4.2 Understanding the needs and expectations of interested parties
1. Who are the interested parties?
2. What are their requirements?
3. How have their requirements been established?
Clause 4.3 Determining the scope of the PIMS
1. What is the PIMS scope?
2. How is it defined?
3. Is it reasonable?
4. Does it consider relevant issues and requirements?
5. Does it consider how the organization interacts with other organizations?
6. Is the scope documented?
Clause 4.4 Privacy information management system
1. Are the processes of the PIMS and their interactions defined?
Clause 5 Leadership
Clause 5.1 Leadership and commitment
1. Who is defined as top management within the scope of the PIMS?
2. How does top management demonstrate leadership and commitment?
3. Are privacy policies and objectives established?
4. Are enough resources allocated to the PIMS?
5. How does top management communicate to everyone involved in the PIMS?
Clause 5.2 Policy
1. Can I review the privacy policy?
2. Is it appropriate and does it cover the required areas?
3. Does it include the required commitments?
4. How has it been communicated and distributed and to whom?
RECOMMENDED QUESTIONS
1. What are the roles within the PIMS?
2. Are roles and responsibilities documented, for example in an organization chart?
3. Does everyone understand what their responsibilities and authorities are?
4. Who has the responsibility and authority for conformance and reporting?
Clause 6 Planning
Clause 6.1 Actions to address risks and opportunities
RECOMMENDED QUESTIONS
1. Is there a documented privacy risk assessment and treatment process?
2. Does it address risk acceptance criteria and when assessments should be done?
3. Are risks and opportunities to the PIMS identified and evaluated?
4. Are interested party requirements and internal and external issues considered?
5. What is the most recent risk assessment?
6. Does it identify a reasonable set of privacy risks and specify owners?
7. Are the likelihood and impact of risks assessed appropriately and risk levels determined?
8. How are the risks then evaluated and prioritized?
9. Review the most recent risk treatment plan.
10. Are reasonable risk treatment options selected?
11. Are the controls chosen to treat the risks stated clearly?
12. Is the organization’s information security programme documented?
13. Does the programme address the required areas?
14. Has a Statement of Applicability been produced and are inclusions and exclusions reasonable?
15. Has the risk treatment plan been signed off by the risk owners?
Clause
6.2
Privacy objectives and planning to achieve them
1. Are there documented privacy objectives?
2. Do the objectives comply with the requirements of the standard?
3. Is there a plan to achieve the objectives?
4. Does the plan include the what, who, when and how?
RECOMMENDED QUESTIONS
1. Is there a process in place for the planning of changes to the PIMS?
2. Has the process been followed for recent changes?
Clause 7.1 Resources
1. How are the resources needed for the PIMS determined?
2. Are the required resources provided?
Clause 7.2 Competence
1. Have the necessary competences been determined?
2. How has the competence of the people involved in the PIMS been established?
3. What actions have been identified to acquire the necessary competence?
4. Have the actions been completed and is there evidence of this?
Clause 7.3 Awareness
1. What approach has been taken to providing awareness
of the privacy policy, contribution to the PIMS and implications of not conforming?
2. Has everyone been covered?
Clause 7.4 Communication
1. How has the need for communication been established?
2. Is the approach to communication documented?
3. Is it evident that communication methods are in use?
4. Does the approach cover the what, when, who and how?
Clause 7.5 Documented information
1. Is all the documented information required by the standard in place?
2. Is the level of other documentation reasonable for the size of PIMS?
3. Are appropriate documentation standards – for
example, identification, format – in place?
4. Are the documentation standards applied in a uniform way?
5. Are appropriate activities carried out to control documented information as required by the standard?
6. How are documents of external origin handled?
Clause 8 Operation
Clause 8.1 Operational planning and control
1. What plans for processes are available to review?
2. Do they cover process criteria and risk treatment plans?
3. What planned changes to the PIMS have taken place recently and how were they controlled?
4. What processes are outsourced and how are they controlled?
Clause 8.2 Privacy risk assessment
1. What are the planned intervals for risk assessments?
2. What significant changes have happened that have prompted a risk assessment to be carried out?
Clause 8.3 Privacy risk treatment
1. What is the status of the risk treatment plan(s)?
2. How and when is it updated?
3. How is the success of a risk treatment judged?
Clause 9 Performance evaluation
Clause 9.1 Monitoring, measurement, analysis and evaluation
RECOMMENDED QUESTIONS
1. How is it determined what should be monitored and measured?
2. Review evidence of monitoring and measurement.
3. What procedures are in place to cover monitoring and measurement in different areas?
4. How are results reported?
Clause 9.2 Internal audit
1. How often are internal audits carried out?
2. Who carries them out?
3. Are the auditors objective and impartial?
4. Review the most recent internal audit report.
5. Have any nonconformities resulting from previous audits been addressed?
6. Does the audit programme cover the complete scope of the PIMS?
Clause 9.3 Management review
RECOMMENDED QUESTIONS
1. How often are management reviews carried out?
2. Who attends them?
3. Are minutes produced?
4. Review the results of the most recent one.
5. Are all of the required inputs included?
6. Does the management review represent a reasonable assessment of the health of the PIMS?
AUDIT FINDINGS
EVIDENCE REVIEWED
Clause 10 Improvement
Clause 10.1 Continual improvement
RECOMMENDED QUESTIONS
1. How are improvements identified?
2. Are they recorded?
3. What evidence of continual improvement can be demonstrated?
Clause 10.2 Nonconformity and corrective action
RECOMMENDED QUESTIONS
1. How are nonconformities identified?
2. How are they recorded?
3. Review the records of a recent nonconformity.
4. Was appropriate action taken to correct it and address the underlying causes?
5. Was the effectiveness of the corrective action reviewed?
Annex A
A.1 Control objectives and controls for PII controllers
A.1.2 Conditions for collection and processing
RECOMMENDED QUESTIONS
1. For what specific purposes is PII processed?
2. Which lawful bases are used to justify the processing?
3. Tell me how consent is obtained and recorded.
4. Please show me a recent privacy impact assessment.
5. Are written contracts in place with all PII processors?
6 What records are kept about PII processing?
A.1.3 Obligations to PII principals
RECOMMENDED QUESTIONS
1. What information is provided to PII principals at the point of collection of PII?
2. How do PII principals exercise their rights under applicable legislation?
RECOMMENDED QUESTIONS
3. Can we look at a recent request and how it has been handled?
4. How do you communicate with third parties with whom you have shared PII regarding PII principal requests?
A.1.4 Privacy by design and privacy by default
RECOMMENDED QUESTIONS
1. How is privacy incorporated into new processes and systems?
2. How long is PII retained for, and what happens when the retention period expires?
3. What controls are used when PII is transmitted outside the organization?
A.1.5 PII sharing, transfer and disclosure
RECOMMENDED QUESTIONS
1. What transfers of PII take place?
2. What is the legal basis for each transfer?
3. Can we see what disclosures of PII have been made recently?
A.2 Control objectives and controls for PII processors
A.2.2
Conditions for collection and processing
1. Please show me a customer agreement for the processing of PII.
2. How do you ensure that customer PII is not used for unauthorised purposes?
3. How do you help customers demonstrate compliance with privacy legislation?
4. Please show me your records related to processing PII.
A.2.3 Obligations to PII principals
1. How do you help your customers manage requests from PII principals?
A.2.4 Privacy by design and by default
1. How are temporary files containing PII managed?
2. What happens to PII when a customer ends their contract?
3. How is PII sent over a network protected?
A.2.5
PII sharing, transfer and disclosure
RECOMMENDED QUESTIONS
1. How does the customer know where their PII is stored and processed?
2. How often is PII disclosed to third parties, and how is this managed?
3. What is the process for managing the engagement of sub-processors?
A.3 Control objectives and controls for PII controllers and PII processors
A.3 Security Considerations for PII controllers and processors
RECOMMENDED QUESTIONS
1. Review the set of policies. (Control A.3.3)
2. Are they all approved? (Control A.3.3)
RECOMMENDED QUESTIONS
3. Who have they been communicated to? (Control A.3.3)
4. When was the last time they were reviewed? (Control A.3.3)
5. What information security roles are defined? (Control A.3.4)
6. Is there an information classification scheme in place? (Control A.3.5)
7. How is information labelled with its classification? (Control A.3.6)
8. What information transfers take place? (Control A.3.7)
9. Are there policies, procedures and controls in place to protect them? (Control A.3.7)
10. Are controls documented in formal agreements? (Control A.3.7)
11. Is there an access control policy? (Control A.3.8)
12. Is there a formal user access provisioning process? (Control A.3.9)
RECOMMENDED QUESTIONS
13. How are access rights reviewed and how often? (Control A.3.9)
14. What happens to access rights when someone moves or leaves? (Control A.3.9)
15. How are the organization’s security requirements communicated and agreed with suppliers? (Control A.3.10)
16. To what extent are the requirements documented in supplier agreements? (Control A.3.10)
17. Is there an information security incident procedure? (Control A.3.11)
18. Are incident management responsibilities understood? (Control A.3.11)
19. How are information security events and weaknesses reported? (Control A.3.11)
20. Review how some of the most recent incidents were responded to. (Control A.3.12)
21. How is knowledge gained from incidents re-used? (Control A.3.12)
RECOMMENDED QUESTIONS
22. Is it clear which laws and regulations apply to the organization and its activities? (Control A.3.13)
23. Are contractual obligations understood? (Control A.3.13)
24. Is an approach to meet these requirements in place? (Control A.3.13)
25. Are records protected in line with the understood requirements? (Control A.3.14)
26. How often are independent reviews of information security carried out? (Control A.3.15)
27. How often do managers check their areas comply with information security policies and standards? (Control A.3.16)
28. Review the most recent report on compliance of information systems with agreed information security policies. (Control A.3.16)
29. How are employees and contractors made aware of, and trained in, information security issues? (Control A.3.17)
RECOMMENDED QUESTIONS
30. Are there non-disclosure agreements in place with key parties? (Control A.3.18)
31. Are desks and screens clear of sensitive information and storage media? (Control A.3.19)
32. How is removable media managed, including disposal and transport? (Control A.3.20)
33. How are devices containing storage media disposed of securely? (Control A.3.21)
34. Is there a mobile device policy? (Control A.3.22)
35. What security measures are used to manage mobile device risks? (Control A.3.22)
36. How is secure authentication achieved? (Control A.3.23)
37. What is the backup policy and process of the organization? (Control A.3.24)
38. Are event logs collected and protected from tampering? (Control A.3.25)
39. Are system administrator and operator activities logged and reviewed? (Control A.3.25)
RECOMMENDED QUESTIONS
40. Is there a policy on the use of cryptographic controls? (Control A.3.26)
41. How has it been implemented? (Control A.3.26)
42. Is there a policy covering cryptographic keys? (Control A.3.26)
43. How is software developed securely within the organization? (Control A.3.27)
44. Are information security requirements included in specifications for new or changed systems? (Control A.3.28)
45. What principles are used when engineering secure systems? (Control A.3.29)
46. How do you monitor outsourced software development? (Control A.3.30)
47. How is the need to use PII for testing managed? (Control A.3.31)