Evidence Guide
ISO 27001 Audit Checklist: What Auditors Check and the Evidence You Need
A comprehensive, free checklist covering mandatory documents, all four Annex A control categories, evidence quality standards, and the top 10 nonconformity triggers. Use this to prepare for Stage 1, Stage 2, or surveillance audits.
How Auditors Select What to Check
Auditors do not check every control with equal depth. They use a risk-based sampling approach that prioritises areas most likely to have issues. Controls selected for deep-dive are based on: previous audit findings, organisational changes since the last audit, high-risk processes, areas where incidents have occurred, and the auditor's professional judgement.
In a typical Stage 2 audit, expect 30-50% of your applicable Annex A controls to receive detailed examination. The remainder get a lighter review. Over the 3-year cycle (initial + 2 surveillance audits), all controls should be covered at least once.
Mandatory Documentation Checklist
These documents are required by ISO 27001:2022 Clauses 4-10. Missing any of these is an automatic nonconformity.
| Document / Clause | What the Auditor Expects |
|---|---|
| ISMS scope (Clause 4.3) | Document defining organisational units, locations, assets, and technologies in scope. Must include justification for any exclusions. |
| Information security policy (Clause 5.2) | Top-level policy signed by senior management. Must reference commitment to continual improvement and compliance with requirements. |
| Risk assessment methodology (Clause 6.1.2) | Document describing how risks are identified, analysed, evaluated, and prioritised. Must define risk criteria and acceptance levels. |
| Risk assessment results (Clause 8.2) | The actual risk register with identified risks, likelihood/impact scores, risk owners, and treatment decisions. |
| Statement of Applicability (Clause 6.1.3d) | All 93 Annex A controls listed with status (applicable/not applicable) and justification for each decision. Must align with risk assessment. |
| Risk treatment plan (Clause 6.1.3e) | Plan showing how each unacceptable risk will be treated: which controls, who is responsible, timeline, and resources. |
| Internal audit records (Clause 9.2) | Audit programme, audit reports, findings, and corrective actions. Must cover the ISMS scope over the certification cycle. |
| Management review minutes (Clause 9.3) | Records of management meetings reviewing ISMS performance. Must cover required inputs (audit results, incidents, risk changes) and produce documented decisions. |
| Competency records (Clause 7.2) | Training records, qualifications, and competency assessments for personnel with ISMS roles. Must cover all key personnel. |
| Monitoring and measurement (Clause 9.1) | Records showing how ISMS effectiveness is measured: KPIs, metrics, dashboards. Must include what is measured, when, and by whom. |
Annex A Control Categories Checklist
ISO 27001:2022 has 93 controls across 4 categories. Here are the most-audited controls in each category with the evidence auditors expect.
Organisational Controls (A.5)
37 controls| Control | Expected Evidence |
|---|---|
| A.5.1 - Information security policies | Policy suite published, version-controlled, acknowledged by staff |
| A.5.19-5.22 - Supplier management | Supplier register, security assessments, contractual security clauses, ongoing monitoring records |
| A.5.24-5.28 - Incident management | Incident response plan, incident log, post-incident reviews, tabletop exercise records |
| A.5.29-5.30 - Business continuity | BCP documentation, DR plan, test results within last 12 months, lessons learned |
People Controls (A.6)
8 controls| Control | Expected Evidence |
|---|---|
| A.6.1 - Screening | Background check policy, evidence of checks conducted for relevant roles |
| A.6.3 - Information security awareness | Training programme, completion records, phishing test results, awareness materials |
| A.6.5 - Responsibilities after termination | Leaver process including access revocation records, asset return, NDA reminders |
Physical Controls (A.7)
14 controls| Control | Expected Evidence |
|---|---|
| A.7.1-7.4 - Physical perimeters and entry | Access control systems, visitor logs, CCTV, server room access records |
| A.7.7 - Clear desk and clear screen | Policy, spot-check records or audit evidence, screen-lock configurations |
| A.7.10 - Storage media | Media handling policy, encryption on removable media, disposal records |
Technological Controls (A.8)
34 controls| Control | Expected Evidence |
|---|---|
| A.8.3-8.5 - Access control | User provisioning records, privilege management, access review logs with dates and approvers |
| A.8.15-8.16 - Logging and monitoring | Log collection scope, review frequency records, alerting configuration, SIEM dashboard |
| A.8.24 - Cryptography | Encryption policy, data-at-rest and in-transit encryption evidence, key management procedures |
| A.8.25-8.26 - Secure development | SDLC documentation, code review records, security testing results, dependency scanning |
Evidence Quality Guide
Good Evidence
- Screenshot of access review completion with date and approver
- JIRA ticket showing change management approval workflow
- Meeting minutes with attendees, date, decisions, and action items
- System export showing MFA enforcement across all users
- Training completion report with names, dates, and scores
Weak Evidence
- "We do access reviews quarterly" (verbal assertion, no records)
- Undated policy document with no version control
- Meeting agenda with no minutes or decisions recorded
- "Our firewall blocks everything" (no configuration evidence)
- Training slide deck with no completion records
The quality test: could someone who was not present verify that this activity happened based solely on the evidence? If yes, it is adequate. Auditors want objective evidence, not assertions.
Top 10 Nonconformity Triggers
The most common findings that result in minor or major nonconformities, ranked by frequency across certification bodies.
| # | Finding | Category |
|---|---|---|
| 1 | Access reviews not conducted or not documented | Technological |
| 2 | Supplier security assessments missing or outdated | Organisational |
| 3 | Staff unable to describe security policies when interviewed | People |
| 4 | Incident response plan not tested via tabletop exercise | Organisational |
| 5 | Business continuity/DR plan not tested within 12 months | Organisational |
| 6 | Risk assessment not updated after significant changes | Organisational |
| 7 | Internal audit coverage incomplete or audit not independent | Management system |
| 8 | Management review missing required inputs or outputs | Management system |
| 9 | Change management records incomplete or missing | Technological |
| 10 | Asset inventory incomplete or not maintained | Organisational |
Frequently Asked Questions
What is the most common ISO 27001 audit finding?
Access reviews not conducted or not documented is consistently the most common nonconformity across certification bodies. Many organisations have access review policies but cannot demonstrate that reviews have actually been conducted with documented evidence of who approved, when, and what action was taken for inappropriate access.
How many controls are checked in the Stage 2 audit?
Auditors use a sampling approach and do not check every control in equal depth. In a typical Stage 2 audit, the auditor will deep-dive into 30-50% of applicable Annex A controls and do a lighter review of the remainder. High-risk controls (access management, incident response, supplier management) receive the most attention. Over the 3-year cycle, all controls are covered through surveillance audits.
What evidence do ISO 27001 auditors accept?
Auditors want objective evidence: screenshots, system logs, signed documents, meeting minutes with dates and attendees, training completion certificates, ticket system records, and configuration exports. Verbal assertions are not sufficient. The quality test is: could someone who was not present verify that this activity happened? If yes, the evidence is adequate.