Study Document 03

Clause-wise lead auditor notes.

A practical ISO/IEC 27001:2022 audit guide for Clauses 4 to 10, arranged around clause intent, expected evidence, audit questions, and common finding patterns.

How to use this document

Convert each clause into an audit trail.

For exam preparation, do not only remember what the clause is called. Practise tracing each requirement into records, interviews, samples, evidence, findings, and management system effectiveness.

7Main auditable clauses from context through improvement.
4Audit lenses: intent, evidence, questions, and finding watchpoints.
1Clear audit logic: requirement, evidence, conformity conclusion.

Clause map

Understand the role of each clause before auditing detail.

Clauses 4 to 10 form the management system cycle. Clause 6 and Clause 8 are especially important because they connect risk assessment, risk treatment, controls, and operational evidence.

Clause
Theme
Auditor focus
4
Context
Scope, interested parties, internal/external issues, ISMS process boundaries, and interfaces.
5
Leadership
Top management commitment, policy, roles, responsibilities, resources, and communication.
6
Planning
Risks and opportunities, risk assessment, risk treatment, SoA, objectives, and planned changes.
7
Support
Resources, competence, awareness, communication, and control of documented information.
8
Operation
Operational controls, planned changes, outsourced processes, reassessment, and treatment plan execution.
9
Performance evaluation
Monitoring and measurement, internal audit, management review, and performance evidence.
10
Improvement
Nonconformity handling, corrective action, root cause, effectiveness review, and continual improvement.

Clause notes

Audit prompts and evidence by clause.

Use these notes when answering scenario questions. The best answer usually follows the audit trail: requirement first, objective evidence second, conclusion last.

4
Context of the organization

Set the ISMS boundaries and business context.

Clause 4 expects the organization to understand internal and external issues, interested parties and their requirements, define the ISMS scope, and establish the ISMS processes.

Audit focus

  • Context is current and relevant.
  • Interested parties and obligations are identified.
  • Scope includes boundaries, locations, functions, interfaces, and exclusions.
  • ISMS processes are established and maintained.

Evidence

  • Context review or SWOT/PESTLE output.
  • Interested party and legal/contractual requirement register.
  • Approved ISMS scope statement.
  • Process map, interfaces, dependencies, and documented scope rationale.

Audit questions

  • How were internal and external issues determined?
  • Which interested party requirements are included in the ISMS?
  • Why were these boundaries selected?
  • How are interfaces with suppliers or other entities controlled?

Watchpoints

  • Scope excludes relevant high-risk activities without rationale.
  • Legal or contractual obligations are missing.
  • Context is created once and not reviewed.
  • Processes are described but not implemented.
5
Leadership

Confirm management commitment and accountability.

Clause 5 expects top management to demonstrate leadership, establish a policy, assign responsibilities, support the ISMS, and ensure information security is aligned with business direction.

Audit focus

  • Policy is suitable and communicated.
  • Security objectives support strategic direction.
  • Roles, responsibilities, and authorities are assigned.
  • Top management provides resources and promotes continual improvement.

Evidence

  • Information security policy.
  • Leadership interview notes.
  • Organization chart, RACI, job descriptions, committee minutes.
  • Budget, resource allocation, management review records.

Audit questions

  • How does top management demonstrate commitment?
  • How is policy communicated and understood?
  • Who reports ISMS performance to management?
  • How are security roles integrated into business processes?

Watchpoints

  • Policy exists but staff are unaware of it.
  • Responsibilities are informal or not communicated.
  • Management review is delegated without leadership involvement.
  • Objectives are not linked to business risk.
6
Planning

Plan risk, treatment, objectives, and changes.

Clause 6 is central to ISO 27001. It covers risks and opportunities, information security risk assessment, risk treatment, Statement of Applicability, security objectives, and planned ISMS changes.

Audit focus

  • Risk criteria are defined and applied consistently.
  • Risks are identified, analysed, evaluated, and owned.
  • Treatment options and controls are selected based on risk.
  • Objectives are measurable and planned.

Evidence

  • Risk assessment and treatment methodology.
  • Risk register and treatment plan.
  • Statement of Applicability with inclusion/exclusion justification.
  • Risk owner approvals, objectives, change plans.

Audit questions

  • What risk acceptance criteria are used?
  • How are risk owners involved?
  • How do selected Annex A controls trace to risk treatment?
  • How are objectives measured and reviewed?

Watchpoints

  • Risk scoring is inconsistent or not repeatable.
  • SoA excludes controls without valid justification.
  • Treatment plan lacks owner, due date, status, or approval.
  • Objectives are vague or not measurable.
7
Support

Verify the resources that make the ISMS work.

Clause 7 covers the support system around the ISMS: resources, competence, awareness, communication, and documented information control.

Audit focus

  • Resources are available for ISMS operation.
  • People are competent for assigned security roles.
  • Personnel understand policy, contribution, and consequences of nonconformity.
  • Documented information is controlled.

Evidence

  • Competence matrix, training plan, training records.
  • Awareness records and interview results.
  • Communication plan or communication evidence.
  • Document control procedure, revision history, access controls.

Audit questions

  • How is competence determined for ISMS roles?
  • How are staff made aware of security responsibilities?
  • What internal and external communications are required?
  • How are obsolete documents prevented from use?

Watchpoints

  • Training was delivered but effectiveness is not evaluated.
  • Critical roles have no competence criteria.
  • Staff cannot explain relevant security responsibilities.
  • Uncontrolled documents are used operationally.
8
Operation

Confirm risk treatment and controls are actually operating.

Clause 8 moves planning into operation. It covers operational planning and control, planned changes, externally provided processes, periodic risk assessment, and risk treatment plan implementation.

Audit focus

  • Security processes operate according to defined criteria.
  • Controls selected in the SoA are implemented.
  • Changes are controlled and unexpected changes are reviewed.
  • Risk assessments and treatment are repeated when required.

Evidence

  • Operational procedures and control records.
  • Change records and impact assessments.
  • Supplier control and monitoring evidence.
  • Updated risk assessment, treatment status, control operation samples.

Audit questions

  • How are operational criteria defined and monitored?
  • Can selected controls be traced to records of operation?
  • When was risk reassessed after change?
  • How are outsourced or supplier-controlled processes monitored?

Watchpoints

  • SoA says control is implemented but records are absent.
  • Risk assessment is not updated after major change.
  • Operational controls depend on undocumented practices.
  • Supplier controls are assumed but not verified.
9
Performance evaluation

Evaluate whether the ISMS is effective.

Clause 9 requires monitoring, measurement, analysis, evaluation, internal audit, and management review to determine whether the ISMS is suitable, adequate, and effective.

Audit focus

  • Metrics are defined and produce valid results.
  • Internal audits are planned, impartial, and complete.
  • Management review covers required inputs and decisions.
  • Outputs drive improvement and resource decisions.

Evidence

  • Monitoring and measurement plan/report.
  • Internal audit programme, plan, checklist, report, NCs.
  • Auditor competence and impartiality evidence.
  • Management review minutes, action log, performance trends.

Audit questions

  • What is monitored, how often, and by whom?
  • How is internal audit independence maintained?
  • Has the entire ISMS scope been audited?
  • What management review decisions were made and followed up?

Watchpoints

  • Metrics exist but are not analysed.
  • Internal audit misses part of the scope or criteria.
  • Auditor audits their own work.
  • Management review minutes show discussion but no decisions.
10
Improvement

Close findings and prove corrective action effectiveness.

Clause 10 covers continual improvement, nonconformity, correction, corrective action, root cause, action effectiveness, and records of results.

Audit focus

  • Nonconformities are recorded and evaluated.
  • Consequences are addressed where required.
  • Root cause is analysed before corrective action is closed.
  • Effectiveness is reviewed and documented.

Evidence

  • NC register and corrective action records.
  • Root cause analysis and action plan.
  • Evidence of correction and corrective action.
  • Effectiveness review, trend analysis, improvement log.

Audit questions

  • How are NCs captured from audits, incidents, and reviews?
  • What immediate correction was taken?
  • How was root cause determined?
  • How was recurrence prevented and effectiveness verified?

Watchpoints

  • Only correction is performed; root cause is not addressed.
  • Corrective action is closed without evidence.
  • Recurring findings are treated as isolated events.
  • Improvement actions are not tracked to completion.

Lead auditor technique

Use a process trail, not a document checklist only.

In the exam and in real audits, the stronger answer usually tests implementation and effectiveness. A document can be evidence, but it is not automatically proof that the process works.

1

Start with requirement

Identify the exact clause, control, audit criterion, or internal requirement being tested.

2

Ask for process

Understand how the organization says the activity is planned, owned, performed, and reviewed.

3

Sample records

Check records across dates, systems, departments, suppliers, and risk levels where practical.

4

Interview users

Confirm whether people know their responsibilities and follow the defined method.

5

Conclude clearly

State conformity or nonconformity using requirement, objective evidence, and impact.

Exam memory aid

Clause 4 to 10 in one line.

  • 4: Define context, interested parties, scope, and ISMS processes.
  • 5: Confirm leadership, policy, accountability, and resources.
  • 6: Plan risk, treatment, objectives, SoA, and ISMS changes.
  • 7: Support the ISMS with competence, awareness, communication, and controlled information.
  • 8: Operate controls, manage changes, reassess risk, and implement treatment.
  • 9: Measure performance, audit internally, and review with management.
  • 10: Correct, analyse root cause, prevent recurrence, and improve.

Common exam trap

Do not confuse existence with effectiveness.

  • A policy exists, but is it communicated and applied?
  • A risk register exists, but are criteria consistent and owners approving treatment?
  • A control is selected in the SoA, but is there operating evidence?
  • An internal audit happened, but did it cover the full scope and remain impartial?
  • A corrective action is closed, but was effectiveness verified?

Use note

This is a KISCyber learner guide.

This page is an original training summary using user-provided ISO 27001 Lead Auditor clause-wise study materials as references. Always use the authorised standard, official course material, and current exam provider guidance when preparing for certification.