← Back to reports library

ISO/IEC 27001:2022 Annex A Quarterly Audit Plan

Objective and scope Deliver a quarter-by-quarter internal audit playbook that aligns every step to ISO/IEC 27001:2022 Annex A control titles and numbering, covering organizational (A.5), people (A.6), physical (A.7), and technological (A.8) themes. Reinforce…

Operational Reports · Coverage focus 2022 · Updated December 12, 2025

Objective and scope

  • Deliver a quarter-by-quarter internal audit playbook that aligns every step to ISO/IEC 27001:2022 Annex A control titles and numbering, covering organizational (A.5), people (A.6), physical (A.7), and technological (A.8) themes.
  • Reinforce authentic evidence collection—no placeholder test data—so audit files withstand registrar and regulator scrutiny.
  • Anchor the schedule to a Day 36 editorial QA gate and Day 38 publication, with weekly checkpoints for control coverage, sampling sufficiency, and supplier evidence.

Quarterly audit steps mapped to Annex A controls

  • Governance and scope confirmation (Week 1–2):
  • Validate policy currency and role assignments against A.5.1 Policies for information security, A.5.2 Information security roles and responsibilities, and A.5.4 Management responsibilities; confirm segregation of duties per A.5.3.
  • Refresh threat intelligence intake and project onboarding controls per A.5.7 Threat intelligence and A.5.8 Information security in project management to ensure quarterly plans incorporate emerging risks.

  • Reaffirm legal and regulatory mappings, records protection, and operating procedures with A.5.31 Legal, statutory, regulatory, and contractual requirements, A.5.33 Protection of records, and A.5.37 Documented operating procedures.

  • Asset, data, and transfer controls (Week 2–3):

  • Inventory changes to assets and data classification, tracing labels and transfer channels under A.5.9 Inventory of information and other associated assets, A.5.12 Classification of information, A.5.13 Labelling of information, and A.5.14 Information transfer.

  • Verify acceptable use attestations, asset returns, and cross-border transfers against A.5.10 Acceptable use of information and other associated assets, A.5.11 Return of assets, and A.5.34 Privacy and protection of PII.

  • Access management and monitoring (Week 3–4):

  • Sample provisioning, authentication, and recertification evidence for A.5.15 Access control, A.5.16 Identity management, A.5.17 Authentication information, and A.5.18 Access rights, corroborated by A.8.2 Privileged access rights and A.8.3 Information access restriction.

  • Evaluate logging and monitoring coverage for high-risk systems under A.8.15 Logging, A.8.16 Monitoring activities, and A.8.17 Clock synchronization to verify auditability.

  • Change, development, and operations (Week 4–5):

  • Inspect change tickets, SDLC controls, and secure engineering evidence per A.5.8 Information security in project management, A.8.25 Secure development life cycle, A.8.27 Secure system architecture and engineering principles, A.8.28 Secure coding, and A.8.32 Change management.

  • Confirm configuration baselines, patching, and malware controls via A.8.7 Protection against malware, A.8.8 Management of technical vulnerabilities, and A.8.9 Configuration management.

  • Continuity, incident, and audit readiness (Week 5–6):

  • Test incident triage and evidence handling against A.5.24 Information security incident management planning and preparation, A.5.25 Assessment and decision on information security events, A.5.26 Response to information security incidents, and A.5.28 Collection of evidence.
  • Validate resilience drills and ICT continuity preparations for A.5.29 Information security during disruption and A.5.30 ICT readiness for business continuity, ensuring backups and failover meet A.8.13 Information backup and A.8.14 Redundancy of information processing facilities expectations.

  • Safeguard systems during audit procedures and penetration tests per A.8.34 Protection of information systems during audit activities.

  • People and physical controls spot checks (Week 6):

  • Reconfirm onboarding, awareness, disciplinary, and remote work controls for A.6.1 Screening, A.6.2 Terms and conditions of employment, A.6.3 Information security awareness, education and training, A.6.4 Disciplinary process, A.6.5 Responsibilities after termination or change of employment, A.6.6 Confidentiality or non-disclosure agreements, A.6.7 Remote working, and A.6.8 Information security event reporting.
  • Walk through facility protections under A.7.1 Physical security perimeters, A.7.2 Physical entry controls, A.7.4 Physical security monitoring, A.7.5 Protecting against physical and environmental threats, and A.7.14 Secure disposal or re-use of equipment.

Sampling plans

  • Access and identity: Select 10% of quarterly joiner/mover/leaver events (minimum of 15 records) and 10 privileged role changes to validate A.5.16 through A.5.18 plus A.8.2 evidence; include multi-factor resets and dormant account closures.
  • Logging and monitoring: Pull four weeks of log samples from three critical systems per A.8.15A.8.17, verifying time synchronization, retention settings, and alert-to-response traceability.
  • Change and SDLC: Review 15 change requests spanning emergency, standard, and major categories for A.8.25, A.8.28, and A.8.32 compliance; match at least five to corresponding test evidence under A.8.29 Security testing in development and acceptance.
  • Asset and data handling: Inspect 20 asset records, five cross-border transfers, and five media disposal tickets to confirm A.5.9, A.5.13, A.5.14, and A.7.14 controls are enforced and documented.
  • Continuity and incident response: Sample two incident postmortems and two continuity exercises from the quarter against A.5.24A.5.30 and A.8.13A.8.14, ensuring evidence kits include lessons learned and test results.

Evidence calendar (Day 0–38)

  • Day 0–7: Confirm scope, control owners, and inventory baselines; launch data pulls for access, asset, and logging systems; prepare supplier request list.
  • Day 8–14: Execute asset/classification sampling and start access management tests; capture evidence for A.5.9, A.5.12–A.5.18, and A.8.3.
  • Day 15–21: Complete logging/monitoring and change/SDLC sampling; assemble incident and continuity test packs for A.5.24–A.5.30, A.8.13–A.8.17, and A.8.25–A.8.32.
  • Day 22–28: Finalize supplier oversight checks (see below), physical walkthroughs, and people-control attestations; reconcile any evidence gaps.
  • Day 29–35: Draft audit narratives, control test summaries, and exceptions; secure control-owner sign-off and remediation timelines.
  • Day 36: Editorial QA pass on findings, citations, and Annex A terminology; lock evidence references and approvals.
  • Day 38: Publish the quarterly audit report to the evidence repository and notify stakeholders; schedule kick-off for the next quarter’s Day 0.

Supplier oversight procedures — A.5.19 and A.5.20

  • A.5.19 Information security in supplier relationships:
  • Maintain a quarterly supplier inventory with data classification, hosting region, and service criticality. Require control attestations for onboarding and renewals, and evidence of incident notification paths.
  • Review last quarter’s due diligence packets for at least five critical suppliers, validating SOC 2/ISO certifications, penetration test summaries, and business continuity claims against actual service-level monitoring.

  • Confirm supplier access provisioning aligns with A.5.15–A.5.18 and A.8.2 by sampling identity federation logs and quarterly access reviews.

  • A.5.20 Addressing information security within supplier agreements:

  • Validate that current contracts (new, renewal, and major change orders) embed security schedules covering data handling, breach notification timelines, subcontractor controls, and audit rights.
  • Trace two change events and two incident responses involving suppliers to confirm contract terms (notification, evidence sharing, and corrective actions) were met.
  • Cross-check agreements for cloud-specific commitments aligned to A.5.23 Information security for use of cloud services and, where applicable, A.5.21 Managing information security in the ICT supply chain and A.5.22 Monitoring, review and change management of supplier services.

QA and publication checklist

  • Copy-edit for ISO/IEC 27001:2022 control titles and numbering accuracy; remove any ambiguous shorthand.
  • Verify that every sample and evidence reference points to real data with retrievable links or storage paths—no placeholders or synthetic artifacts.
  • Confirm Day 36 QA completion, Day 38 publication, and stakeholder notifications are logged with timestamps and approver names.