ISMS Stage 1 Audit Record

Name of the Organization

Address
Site Address (If any)
No. of Employees
No. of Shift
E-mail id
Contact Person
Telephone/Fax
Scope

Audit Team Lead Auditor: Audit duration Man day(s):

Auditor:
Technical Expert:
Date of Audit
Legal and Statutory
Requirements
Purpose of Audit To evaluate the client's documented system, location & site-specific conditions
and gather other details through discussions with the client's personnel to
determine the organization’s readiness for the Stage 2 Audit for Certification.
Brief about the
organization

CHANGE DETAIL

Audit Duration for Stage 1

Are quoted man-days

adequate?

Any change in
employee detail?

Any Change in Scope?

Any additional
Information:

Q4A Management Private Limited AUD-F-09- Stage 1 ISMS Audit Report/ Rev.: 00 Page 1 of 5
 ISMS Stage 1 Audit Record

Team Leader Declaration (Tick or cross Each Column as per applicability)

Auditing is based on a sampling process of the available information
Audit is combined, joint or integrated;
The effectiveness of corrective actions taken regarding previously identified
nonconformities have verified
outcomes are effective and complying.
The internal audit and management review process are effective and complying with the
requirements.
The scope of certification is appropriate.
The capability of the management system to meet applicable requirements and expected
The audit objectives have been fulfilled and achieved.

REQUIREMENTS Status COMMENTS

C/NC/O

ISMS Manual Reference

Is Information Security Policy and

Objectives Designed, documented and
Approved? (Clause 5.2 & 6.2)

(includes framework of Objective, Legal,

statutory and contractual requirements,
aligned with Risk Management and
criteria of Risk Evaluation)

Is scope of ISMS Included in Manual and

having boundaries? (Clause 4.3)

Does manual include Details of exclusions

with justifications?

Is Information Security Risk Assessment

process defined? (Clause 6.1.2)
(Method, Identification of assets, threats
and vulnerabilities, Impact on
organization CIA, owner, Risk Register,
Acceptable Risk level, Method of selection
of Control)

Is Information Security Risk Treatment

process prepared drafted and approved?
(Clause 6.1.3)
(Report and plan no. date)
The results of the information security risk
assessments and risk treatment
documented? (Clause 8.2 & 8.3)
Are other procedure or control in support
of ISMS are defined and documented?
(Incident Management, Business
Continuity Plan etc)

Q4A Management Private Limited AUD-F-09- Stage 1 ISMS Audit Report/ Rev.: 00 Page 2 of 5
 ISMS Stage 1 Audit Record

REQUIREMENTS Status COMMENTS

C/NC/O

Are records required by ISO 27001:2013

are documented, implemented and
maintained.
(User ID Authorization, Security Logs etc)

Is Statement of Applicability documented,

implemented and maintained? (Clause
6.1.3 d)
(version, date, control points A5 – A18
and exclusion)

Are Internal audits conducted as planned

and evidence of the audit programme(s)
and the audit results available (Clause 9.2)
(Frequency, Date of Last Internal Audit,
Conducted by)

Are Management reviews conducted as

planned?
( Frequency, Date of Last MRM, Chaired
by, Agenda)
Evidence of the nature of nonconformities
identified and any subsequent actions
taken and corrective actions available
(Clause10.1)

Are evidences of the monitoring and

measurement results documented? (Clause
9.1)

Are information security Incidents

recorded? Is there evidence of resolving
the same?

Are there any open Information Security

Incidents?

Is evidence of the competence of the

information security resources available?
(Clause 7.2)

Is Operational planning and control

information documented? (Clause 8.1)

Is Documented Information determined as

necessary for the effectiveness of the
ISMS?
(Clause 7.5.1b)

Are all requirements for documented

information, Implemented and

Q4A Management Private Limited AUD-F-09- Stage 1 ISMS Audit Report/ Rev.: 00 Page 3 of 5
 ISMS Stage 1 Audit Record

REQUIREMENTS Status COMMENTS

C/NC/O

maintained?

Is there any outsourced process Which is

not covered in the scope but effecting the
organization and is controlled by
organisation?

Any Statutory and/or regulatory

requirements applicable to organization
or technical area identified and complied
with?

SOA Revision, Version Date & Controls are

excluded

ISMS Policies, Quality Policy & Objectives

SUMMARY OF AUDIT

AREA OF IMPROVEMNET

(Areas of Improvement Which May Be Identified as Non-Conformities During Stage 2 Audit)

Non-Conformities Raised

___ Minor/Major Non-conformance identified in the Stage 1 audit, details of Non-Conformance

___Major Non-conformance identified in the Stage 1 audit, details of Non-Conformance

___Observation identified in the Stage 1 audit, details of Non-Conformance

RECOMMENDATION
Recommended Proceeding with Stage 2 (within 60 days from this audit date)
Recommend not proceeding to stage 2 until audit evidence has been submitted to Q4AMPL
showing that the concerns raised by the auditor (s) have been rectified. A date for stage 2 will then
be agreed.

Q4A Management Private Limited AUD-F-09- Stage 1 ISMS Audit Report/ Rev.: 00 Page 4 of 5
 ISMS Stage 1 Audit Record

Recommend not proceeding without a further stage 1 Audit due to the severity of the concerns
raised by the audit team

END OF REPORT

Q4A Management Private Limited AUD-F-09- Stage 1 ISMS Audit Report/ Rev.: 00 Page 5 of 5