ISO 27001 Lead Auditor — Cheat Sheet

2022 edition (ISO/IEC 27001:2022) · Covers exam traps, Annex A controls, audit process, and key distinctions

Clauses 4–10

Annex A Controls

Audit Process

Exam Traps

Key Terms

Quick Quiz

Critical rule: Clauses 4–10 are ALL mandatory. Annex A controls are selected based on the risk assessment — not all controls are mandatory.

Clause	Title	Key requirements / exam focus
4.1	Understanding the org	Internal & external issues affecting ISMS. Use PESTLE / SWOT.
4.2	Interested parties	Identify stakeholders + their requirements. Requirements → some become ISMS requirements.
4.3	Scope	Must be documented. Can exclude parts of org — but must justify. Exclusions must not affect ability to achieve objectives.
4.4	ISMS	Establish, implement, maintain, continually improve.
5.1	Leadership & commitment	Top management must demonstrate — not just "be aware". Evidence: policy approval, resource allocation, integration with business.
5.2	Policy	Documented, communicated, available to interested parties. Must include commitment to satisfy requirements and continual improvement.
5.3	Roles & responsibilities	Top management assigns — doesn't have to do it themselves. CISO/ISO role assigned.
6.1	Risk & opportunity	Actions to address risks AND opportunities. This is often missed in audits.
6.1.2	Risk assessment	Documented process. Criteria for risk acceptance. Identify asset owners. Produces risk register.
6.1.3	Risk treatment	RTP (Risk Treatment Plan) required. SoA (Statement of Applicability) required — must justify inclusions AND exclusions of Annex A controls.
6.2	Objectives	Measurable, monitored, communicated, updated. Must consider risk results.
6.3	Planning changes	NEW in 2022. Changes to ISMS must be planned — purpose, consequences, resources, responsibilities.
7.1	Resources	HR, financial, infrastructure. Competence of people doing ISMS work.
7.2	Competence	Determine, ensure, evaluate effectiveness of training. Documented evidence required.
7.3	Awareness	All personnel must be aware of: policy, their contribution, implications of not conforming.
7.4	Communication	What, when, with whom, how to communicate about ISMS.
7.5	Documented information	Standard uses "documented information" not "documents & records". Creation, control, retention, disposition all required.
8.1	Operational planning	Implement plans from Clause 6. Control outsourced processes.
8.2	Risk assessment (ops)	Perform risk assessment at planned intervals AND when significant changes occur.
8.3	Risk treatment (ops)	Implement the risk treatment plan. Retain documented information.
9.1	Monitoring & measurement	What, methods, when, who, when results analysed. Must use valid methods.
9.2	Internal audit	Programme (planned schedule) + each individual audit. Auditors must be objective & impartial — cannot audit own work.
9.3	Management review	Required inputs: audit results, feedback, risk treatment status, objectives performance, interested party feedback, opportunities for improvement. Output: decisions for continual improvement.
10.1	Continual improvement	Continually improve suitability, adequacy, effectiveness.
10.2	Nonconformity & corrective action	React → contain → root cause → corrective action → verify effectiveness. Retain documented information of all steps.

The SoA — Statement of Applicability

What must the SoA contain

All Annex A controls listed
For each: applicable (yes/no)
Justification for inclusion OR exclusion
Implementation status

Common SoA mistakes

Excluding a control with no justification
No link between SoA and risk treatment plan
SoA not kept up to date after changes
Controls marked "applicable" but not implemented

2022 change: Annex A was restructured from 14 domains / 114 controls → 4 themes / 93 controls. Exams will test you on the new structure.

5. Organizational controls (37)

5.1 Policies for IS
5.2 IS roles & responsibilities
5.3 Segregation of duties
5.4 Management responsibilities
5.5 Contact with authorities
5.6 Contact with special interest groups
5.7 Threat intelligence NEW
5.8 IS in project management
5.9 Inventory of information & other assets
5.10 Acceptable use of assets
5.11 Return of assets
5.12 Classification of information
5.13 Labelling of information
5.14 Information transfer
5.15 Access control
5.16 Identity management
5.17 Authentication info
5.18 Access rights
5.19 IS in supplier relationships
5.20 Addressing IS in supplier agreements
5.21 Managing IS in ICT supply chain NEW
5.22 Monitoring, review, change mgmt of supplier services
5.23 IS for use of cloud services NEW
5.24 IS incident mgmt planning & prep
5.25 Assessment & decision on IS events
5.26 Response to IS incidents
5.27 Learning from IS incidents
5.28 Collection of evidence
5.29 IS during disruption NEW merged
5.30 ICT readiness for business continuity NEW
5.31 Legal, statutory, regulatory, contractual requirements
5.32 IP rights
5.33 Protection of records
5.34 Privacy & PII protection
5.35 Independent review of IS
5.36 Compliance with policies, rules, standards
5.37 Documented operating procedures

6. People controls (8)

6.1 Screening
6.2 Terms and conditions of employment
6.3 IS awareness, education, training
6.4 Disciplinary process
6.5 Responsibilities after termination or change
6.6 Confidentiality or NDA agreements
6.7 Remote working NEW
6.8 IS event reporting

7. Physical controls (14)

7.1 Physical security perimeters
7.2 Physical entry
7.3 Securing offices, rooms, facilities
7.4 Physical security monitoring NEW
7.5 Protecting against physical & environmental threats
7.6 Working in secure areas
7.7 Clear desk and clear screen
7.8 Equipment siting and protection
7.9 Security of assets off-premises
7.10 Storage media
7.11 Supporting utilities
7.12 Cabling security
7.13 Equipment maintenance
7.14 Secure disposal or re-use of equipment

8. Technological controls (34)

8.1 User endpoint devices NEW merged
8.2 Privileged access rights
8.3 Information access restriction
8.4 Access to source code
8.5 Secure authentication
8.6 Capacity management
8.7 Protection against malware
8.8 Management of technical vulnerabilities
8.9 Configuration management NEW
8.10 Information deletion NEW
8.11 Data masking NEW
8.12 Data leakage prevention NEW
8.13 Information backup
8.14 Redundancy of information processing
8.15 Logging
8.16 Monitoring activities NEW
8.17 Clock synchronisation
8.18 Use of privileged utility programs
8.19 Installation of software on operational systems
8.20 Networks security
8.21 Security of network services
8.22 Segregation of networks
8.23 Web filtering NEW
8.24 Use of cryptography
8.25 Secure development lifecycle
8.26 Application security requirements
8.27 Secure system architecture and engineering NEW
8.28 Secure coding NEW
8.29 Security testing in dev & acceptance
8.30 Outsourced development
8.31 Separation of dev, test, production
8.32 Change management
8.33 Test information
8.34 Protection of IS during audit testing

11 Brand-new controls in 2022 (high exam probability)

5.7 Threat intelligence

Org must collect and analyse threat intel

5.23 Cloud services

IS for acquiring, using, managing cloud

5.30 ICT BCM

ICT readiness for business continuity

8.9 Config mgmt

Secure configs defined, documented, monitored

8.10 Data deletion

Deletion when no longer needed

8.11 Data masking

Masking per access control & regulations

8.12 Data leakage prevention

DLP applied to systems and networks

8.16 Monitoring activities

Monitor for anomalous behaviour

8.23 Web filtering

Manage access to external websites

8.27 Secure architecture

Security-by-design principles

8.28 Secure coding

Secure coding principles applied

Audit phases — KNOW these in order

Stage 1 — Documentation review

Review ISMS scope and policy
Review risk assessment and SoA
Check ISMS documentation is complete
Identify areas of concern for Stage 2
Conducted usually off-site
Output: Stage 1 report, Stage 2 plan

Stage 2 — Implementation audit

Verify controls are actually implemented
Interviews, observation, evidence review
Conducted on-site
Opening meeting → fieldwork → closing meeting
Output: Audit report with findings

Surveillance audits

Year 1 and Year 2 after certification
Partial — not all controls each time
Focus on objectives, complaints, continual improvement
Must cover internal audit + management review

Recertification audit

Every 3 years
Full audit — like Stage 2 again
Reviews effectiveness over 3-year cycle

Finding classifications — most tested area

Major nonconformity (NC)

Absence of a required system element
Systematic failure of an implemented control
Multiple minors in same area = major
Prevents certification until resolved
Example: No risk assessment performed; no internal audit conducted

Minor nonconformity

Single lapse / isolated failure
Does NOT prevent certification
Requires corrective action plan
Example: One record not retained; one employee not trained

Observation / OFI

Not a nonconformity
Opportunity for improvement noted
No formal corrective action required
Auditor suggestion only

Audit evidence types

Primary evidence types

Documents: policies, procedures, plans
Records: logs, training records, meeting minutes
Interviews: verbal confirmation from staff
Observation: watching a process being performed
Technical testing: scans, config review

Audit sampling

Auditor selects sample — cannot audit everything
Risk-based sampling: focus on higher-risk areas
Findings extrapolated to the population
Document rationale for sampling method

Lead auditor responsibilities (vs team auditor)

Lead auditor does

Plans the audit programme
Selects and leads the audit team
Conducts opening and closing meetings
Makes final findings decisions
Signs off audit report
Manages audit schedule and scope
Communicates with the client

Team auditor does

Executes assigned audit tasks
Collects and documents evidence
Reports findings to lead auditor
Does NOT make final certification decisions

These are the most common reasons candidates fail. Study every item here carefully.

Terminology traps

"Documents" vs "Documented information"

2022 uses "documented information" to cover both documents (instructions) and records (evidence)
Old term "documents and records" is gone
Exam may ask: what is the correct ISO 27001 term? → Documented information

Risk "assessment" vs "treatment"

Assessment = identify, analyse, evaluate (Clause 6.1.2)
Treatment = select options, create RTP, produce SoA (Clause 6.1.3)
These are separate steps — don't conflate them

"Shall" vs "Should"

Shall = mandatory requirement
Should = recommendation only (from ISO 27002)
ISO 27001 uses "shall" for all requirements
ISO 27002 uses "should" — guidance, not auditable

ISO 27001 vs ISO 27002

27001 = requirements standard (certifiable)
27002 = code of practice / implementation guidance
You audit against 27001, not 27002
27002 supports implementation of Annex A controls

Risk traps

Who approves residual risk?

Risk OWNERS approve residual risk — not management, not the CISO
Risk owner may be a department head or asset owner
Top management sets risk acceptance criteria

Risk treatment options

Modify (mitigate) — apply controls
Retain (accept) — within risk appetite
Avoid — stop the activity
Share/transfer — insurance, outsourcing
Note: sharing does NOT transfer accountability

Audit process traps

Can auditor audit their own work?

No. Internal auditors must be objective and impartial
They cannot audit the area they are responsible for
Doesn't need to be external — just not own work

When is corrective action required?

For nonconformities (both major and minor)
Must address ROOT CAUSE — not just symptom
Effectiveness must be verified afterward
NOT required for observations/OFIs

Management review inputs (exact list)

Status of prev. management review actions
Changes in external/internal issues
IS performance & effectiveness feedback
Interested parties' feedback
Results of risk assessment, risk treatment status
Audit results (internal + external)
Opportunities for continual improvement

What can the auditor NOT do?

Cannot recommend specific solutions to auditee
Cannot guarantee certification outcome
Cannot audit if conflict of interest exists
Cannot accept gifts / hospitality that affect objectivity

Scope & exclusion traps

Excluding Annex A controls

Allowed — but must justify in SoA
Cannot exclude a control if risk treatment requires it
Exam trick: "control not applicable to our org" is valid justification
Exam trick: "control too expensive" is NOT valid on its own

Scope boundary trap

Scope can be a subset of the org
But: interfaces and dependencies outside scope must be considered
Cannot artificially narrow scope to exclude problem areas

Core ISMS terms

Asset: anything of value to the org (info, people, systems)
Threat: potential cause of an unwanted incident
Vulnerability: weakness that a threat can exploit
Risk: effect of uncertainty on objectives (ISO 31000)
Residual risk: risk remaining after treatment
Control: measure that modifies risk
ISMS: policies, procedures, processes, systems managing IS

CIA Triad

Confidentiality: info accessible only to authorised
Integrity: accuracy and completeness of info
Availability: accessible when needed by authorised users
ISO 27001 protects all three — exam often asks "which CIA property?"

Audit terms

Audit criteria: set of requirements used as reference (the standard)
Audit evidence: records, facts, other info relevant to criteria
Audit findings: results of evaluating evidence against criteria
Audit conclusion: outcome after considering findings
Audit client: person/org requesting the audit
Auditee: org being audited
Audit programme: planned set of audits over a period

Risk terms

Risk appetite: amount of risk org is willing to accept
Risk tolerance: acceptable variation around risk appetite
Risk owner: person accountable for managing a risk
Risk register: documented list of identified risks
RTP: Risk Treatment Plan — what will be done
SoA: Statement of Applicability — which controls apply

Related standards (know which is which)

ISO 27001 — ISMS requirements (certifiable)
ISO 27002 — Control guidance / code of practice
ISO 27005 — IS risk management guidance
ISO 27701 — Privacy extension (PIMS)
ISO 19011 — Guidelines for auditing management systems
ISO 17021 — Certification body requirements
ISO 31000 — Risk management (general)

Information classification (typical scheme)

Public — no restrictions on distribution
Internal — for internal use only
Confidential — restricted to specific groups
Restricted / Secret — highest sensitivity
ISO 27001 doesn't mandate specific labels — org defines their own scheme

PDCA cycle mapped to clauses

Plan (Clauses 4, 5, 6)

Context, leadership, risk assessment, objectives, planning

Do (Clause 7, 8)

Support, operational implementation

Check (Clause 9)

Monitoring, internal audit, management review

Act (Clause 10)

Nonconformity, corrective action, continual improvement

Tap an option to check your answer. These are representative of real exam question styles.

1. An organisation has identified that control 8.11 (Data masking) is not relevant because they do not process personal data. What should they do?

A. Implement it anyway — all Annex A controls are mandatory

B. Document the exclusion with justification in the SoA

C. Remove it from the SoA entirely — it doesn't need to appear

D. Get top management to sign a waiver

Correct. All Annex A controls must appear in the SoA. Non-applicable controls must be listed with a justification for exclusion — they cannot simply be omitted.

2. During Stage 2, the auditor finds that one employee in a team of 40 has not completed the mandatory IS awareness training. What finding type is most appropriate?

A. Major nonconformity — all staff must be trained

B. Minor nonconformity — isolated single failure

C. Observation only — training is a recommendation

D. No finding — within acceptable tolerance

Correct. One person in 40 is an isolated lapse — a minor NC. If most or all staff had not been trained, it would be a major NC (systematic failure). Awareness is a "shall" in Clause 7.3, so it is auditable.

3. Who is responsible for approving residual risk under ISO 27001?

A. The Chief Information Security Officer (CISO)

B. Top management / the board

C. The risk owner

D. The external auditor

Correct. Clause 6.1.3 states that risk owners must approve the risk treatment plan and accept residual risks. Top management sets the risk acceptance criteria, but the risk owner approves residual risk against those criteria.

4. An auditor discovers that the same IT manager wrote the internal audit report for the department they manage. What is the correct finding?

A. Observation — not ideal but acceptable

B. Minor nonconformity — should use an external auditor next time

C. Major or minor nonconformity — auditor impartiality requirement breached

D. No finding — the IT manager is qualified

Correct. Clause 9.2 requires internal auditors to be objective and impartial — they must not audit their own work. This is a clear breach. Severity (major vs minor) depends on context, but it is always at minimum a nonconformity.

5. Which clause was newly introduced in ISO 27001:2022 to address planned changes to the ISMS?

A. Clause 6.2 — IS objectives

B. Clause 6.3 — Planning of changes

C. Clause 8.1 — Operational planning and control

D. Clause 10.1 — Continual improvement

Correct. Clause 6.3 is new in the 2022 edition. It requires that changes to the ISMS are carried out in a planned manner — considering purpose, potential consequences, resource availability, and responsibilities.

6. How many controls are in Annex A of ISO 27001:2022?

A. 114 controls across 14 domains

B. 114 controls across 4 themes

C. 93 controls across 4 themes

D. 93 controls across 14 domains

Correct. The 2022 revision restructured Annex A from 114 controls / 14 domains to 93 controls across 4 themes: Organizational (37), People (8), Physical (14), Technological (34). This is a guaranteed exam question.

7. An organisation transfers its data to a cloud provider. Which risk treatment option does this represent?

A. Avoid — they are stopping the activity

B. Retain — they are accepting the risk as-is

C. Share — the risk is partially transferred

D. Modify — they have reduced the likelihood

Correct. Using a third party (cloud, insurance) = sharing/transferring risk. Important caveat: accountability cannot be transferred. The organisation remains accountable for data protection even when using a cloud provider — only the financial or operational risk is shared.