What kinds of audit evidence will your Certification Body be seeking to confirm your compliance with the requirements of Annex A?

Using ISO 27001 controls outlined in Annex A alone to address security vulnerabilities is never enough!

What is ISO 27001 Annex A About?

Let’s begin with what ISO 27001 Annex A is about. The purpose of Annex A controls is to ensure that a comprehensive set of controls are in place to manage information security risks. And we place great emphasis on this in all our ISO 27001 training courses because the application of these Controls is fundamental to compliance with the Standard's requirements.

As the vulnerabilities and threats to information security vary from one organization to another, the vulnerabilities included in Annex A should be treated as a 'fallback' position. 

External auditors will not be satisfied with information security controls that address Annex A vulnerabilities alone. Without additional vulnerabilities particular to your organization (and consideration having been taken of the several sectoral Codes of Practice that may apply, e.g., ISO 27018 regarding personally identifiable information), external auditors will likely believe that no real risk assessment was done.

This may give them the impression that you've gone through the motions of preparing information security management system documentation to give the appearance of meeting requirements.

In this circumstance, you've little chance of being recommended for Certification to ISO 27001.

How to Provide Evidence to Prove ISO 27001 Annex A Compliance

The external auditors will look for a variety of evidence of effective implementation of controls and precautions related to applicable ISO 27001 Annex A vulnerabilities. They would also look for other vulnerabilities specific to and identified by the organization.

Here are some examples of ways you can prove compliance with ISO 27001 Annex A:

1. Conduct Observation

This is the best quality of audit evidence. Verifying and recording in the Audit Workbook that:

• a locked door is locked,
• people do sign confidentiality agreements,
• the asset register exists and contains assets observed,
• system settings are adequate, etc.).

2. Keep Records of Performance

Evidence can be gathered from seeing the results of the performance of a Control.  Having sight of and recording in Audit Workbook:

• printouts of access rights given to people signed by the correct authorizing official,
• records of incident resolution,
• processing authorities signed by the correct authorizing official,
• minutes of management (or other) meetings.

3. Perform Direct Testing

Evidence can be the result of direct testing (or re-performance) of controls by the auditor.  For example:

• attempts to perform tasks said to be prohibited by the controls,
• determination whether software to protect against malicious code is installed and up-to-date on machines,
• access rights granted (with the permission of management/authorities).

View ISO 27001 Lead Auditor Course (incl. Annex A Workbook)

4. Conduct Interviews

This is arguably the most important form of evidence.  Many organizations operate on the basis that if IT vulnerabilities are controlled, the organization is protected.  This is folly.  We're not talking about cyber security.  It's more than that.  We're talking about information security!

We know that all the technological precautions in the world are essentially useless unless the people involved fully play their part.  People are always the weakest link in the chain; just read about major information security breaches, and you will see that time after time, it is the failure of the people involved (actively or passively) that permitted the incident to occur. 

Interview-type evidence can be gathered by:

• interviewing staff at all levels and functions about applicable processes and controls
• and then determining whether this is factually correct.
• interviewing persons doing work under the organization’s control about applicable processes (especially outsourced processes) and controls
• and then determining whether this is factually correct.
• interviewing contractors and sub-contractors (both management and staff) about applicable processes and controls
• And then determining whether this is factually correct.

How Annex A of ISO 27001 Affects Your Internal Audit Programme

Too often, Audit Programmes for organizations seeking certification to ISO 27001 ignore Annex A or schedule a cursory audit of the requirements here. 

Remember Annex A is not ‘Informative’; it is ‘Normative’, that is, a mandatory part of the Standard.

It is essential that a sufficient number of internal audits be planned to cover all applicable vulnerabilities (upward of a hundred are common) and evidence of the types given above to be collected and documented.  Otherwise, you have little chance of a successful Certification Audit.  Good luck.

Select the best ISO 27001 Course

We have five ISO 27001 Courses to choose from, including Extension and Conversion Courses. Click the button to compare the options available.

(From Annex D ISO/IEC 27006:2015/Amd 1:2020)

ISO 27001 course image map. Click on the course you are interested in to learn more about it, or see our ISO 27001 overview page to see the full suite.

Note: This post was first published in October 2019; revised and updated in October 2021.

Related Articles

• ISO 27001:2022 - facts about the new version
• Free ISO 27001 Implementation Handbook (100+ pages)
• ISO 27001 Implementation in 31 Steps
• Navigating the fifty-six ISO 27000 Series of Standards
• Information Security Standards other than ISO 27001

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.