Document Review Guidelines

Document review is a fundamental activity in the ISO/IEC 27001 audit process.

It involves examining key documents to verify that the organization's Information Security Management System (ISMS) is properly established, implemented, and maintained according to the standard's requirements.

This process creates a foundation for understanding how security objectives are defined, how risks are assessed, and how controls are selected and applied.

Policies

Information security policies set the direction and demonstrate management's commitment to information security. They outline the organization's approach, goals, and rules for protecting information assets.

During document review, auditors verify that policies are current, approved by leadership, communicated to all relevant personnel, and reflective of actual practices.

Policies should cover essential topics such as access control, acceptable use, incident management, and compliance obligations.

Risk Assessment Reports

Risk assessment reports document the identification, analysis, and evaluation of information security risks. This includes identifying potential threats and vulnerabilities, assessing their likelihood and impact, and determining risk levels.

Auditors review these reports to confirm that risk assessments are comprehensive, consistent, and performed according to a defined methodology.

The reports should align with the organization's risk acceptance criteria and provide a basis for selecting appropriate risk treatment measures.

Statement of Applicability (SoA)

The SoA is a critical document that lists all Annex A controls from ISO/IEC 27001, specifying which controls the organization has implemented, which are excluded, and the rationale for each decision.

Auditors examine the SoA to ensure that it accurately reflects the risk assessment outcomes and control implementation status. The SoA serves as a reference throughout the audit to verify coverage and align findings with intended controls.

Control Implementation Evidence

Evidence supporting the implementation of controls is vital to demonstrate that security measures are not just documented but effectively operational.

This evidence may include records of access control configurations, logs of security awareness training, system configurations, incident response records, and monitoring reports.

Auditors collect and examine this evidence to substantiate that controls are in place and functioning as intended.

Importance of Document Review