Instructions: Please answer the questions along with showcasing the relavant evidences

Sr. No. Phase Requirements

Define Scope and Objectives

1 Pre-Audit Preparation
Gather Documentation
Identify Key Stakeholders

ISMS Scope and Context

Leadership and Commitment

Risk Assessment and Treatment

Information Security
2 Management System (ISMS)
– ISO 27001:2022 Support

Operational Controls

Performance Evaluation
Improvement

Data Protection Principles

Data Subject Rights

3 GDPR Compliance
Lawful Basis for Processing
Data Protection Impact Assessments
(DPIAs)
Data Breach Response
Data Protection Officer (DPO):
Third-Party Management
 SOC 1: Internal Control Over Financial
Reporting

4 SOC Compliance
SOC 2: Trust Services Criteria

SOC 3: General Controls

User Access Management
5 Access Controls
Authentication Mechanisms
Access Monitoring
Data Classification and Handling
6 Data Protection Encryption
Data Backup and Recovery
Firewall and IDS/IPS
7 Network Security Network Segmentation
Secure Remote Access
Anti-Malware and Patching
8 Endpoint Security Device Configuration
Mobile Device Management (MDM)
Access Controls
9 Physical Security
Environmental Controls
Incident Response Plan
10 Incident Response Log Management and Monitoring
Forensic Readiness
Third-Party Risk Assessment
11 Vendor Management
Contracts and SLAs
Employee Training
12 Training and Awareness
Phishing and Social Engineering Tests
Documentation of Findings
13 Audit Reporting Actionable Recommendations
Management Review
Follow-Up Audits
14 Post-Audit Actions
Continuous Improvement
Cloud Security
Development and DevOps Security
15 Additional Considerations
for Large IT Companies Big Data and AI Security
Advanced Threat Protection
 Sub-Requirements
Identify systems, networks, processes, and departments to be audited.
Set clear audit objectives aligned with compliance requirements.
Collect security policies, procedures, network diagrams, and previous audit reports.
Engage IT, security, legal, compliance, HR, and senior management teams.
Define and document the scope of the ISMS.
Understand the organization and its context, including internal and external issues
Identify interested parties and their requirements.
Ensure top management demonstrates leadership and commitment to the ISMS.
Establish, document, and communicate the information security policy.
Assign information security roles and responsibilities.
Conduct a thorough risk assessment to identify, analyze, and evaluate information security risks.
Develop and implement risk treatment plans.
Allocate adequate resources for the ISMS.
Ensure personnel are competent and receive regular training.
Maintain effective communication and control of documented information.
Implement and maintain operational controls for information security.
Ensure incident management and response procedures are documented and tested.
Maintain business continuity and disaster recovery plans.
Monitor, measure, analyze, and evaluate ISMS performance.
Conduct internal audits and management reviews.
Address nonconformities and implement corrective actions.
Continuously improve the ISMS.
Ensure data processing is lawful, fair, and transparent.
Limit data processing to specified, legitimate purposes.
Minimize data collection to what is necessary.
Maintain data accuracy and integrity.
Limit data retention periods.
Ensure data security and confidentiality.
Implement processes to handle data subject requests (access, rectification, erasure, restriction,
portability, and objection).
Ensure transparent communication with data subjects.
Document the lawful basis for processing personal data.
Obtain and manage consents where required.
Conduct DPIAs for high-risk processing activities.
Implement data breach detection, reporting, and response procedures.
Notify authorities and affected data subjects as required.
Appoint a DPO if required and ensure they perform their duties effectively.
Ensure data processing agreements with third parties comply with GDPR
Conduct due diligence and regular audits of third-party processors
Assess the effectiveness of controls related to financial reporting.
Ensure controls align with the organization's risk management framework.
Security: Implement measures to protect systems against unauthorized access.
Availability: Ensure systems are available for operation and use.
Processing Integrity: Confirm systems process data accurately and timely
Confidentiality: Protect confidential information as committed or agreed.
Privacy: Ensure personal information is collected, used, retained, and disclosed in compliance
with privacy principles.
Ensure public-facing controls are in place and effective.
Review procedures for account creation, modification, and termination.
Verify adherence to the principle of least privilege.
Evaluate password policies, biometrics, and multi-factor authentication.
Check logs for unauthorized access attempts and anomalies.
Ensure data is classified based on sensitivity and handled accordingly
Verify encryption standards for data at rest and in transit
Check the frequency and effectiveness of backups and conduct recovery tests.
Review firewall rules and intrusion detection/prevention systems
Ensure critical systems are segmented from less sensitive areas
Evaluate VPN and remote access protocols and configurations
Verify up-to-date anti-malware software and regular patch management
Check secure configurations for all endpoints, including BYOD policies
Review MDM policies and their enforcement.
Verify physical access controls to data centers and sensitive areas.
Check for appropriate climate control, fire suppression, and power management systems.
Ensure there is a documented, communicated, and tested incident response plan
Confirm logs are collected, reviewed, and stored securely.
Verify systems are in place to support forensic investigations
Evaluate security controls of third-party vendors
Ensure security requirements are included in vendor contracts and service level agreements.
Review the effectiveness and frequency of security training programs.
Conduct regular tests to measure employee awareness and response.
Record all identified vulnerabilities, risks, and areas of non-compliance.
Provide specific, practical recommendations to address findings.
Present the audit report to senior management for review and action planning
Schedule follow-up audits to ensure corrective actions are implemented.
Use audit findings to continuously improve the security posture and update policies and
procedures.
Assess security measures for cloud services and compliance with relevant standards.
Review security practices in software development and deployment pipelines.
Evaluate security controls for big data platforms and AI systems.
Implement and assess advanced threat protection mechanisms, including threat intelligence and
behavioural analytics.

No. of Compliants
No. of Observations / Findings
No. of Non-Compliants
Total No. of Checkpoints
Compliance Status Remarks
0
0
0
0