Training Module
Auditing Information Security Controls (Annex A)
Audit control applicability, evidence expectations, and typical failure patterns across ISO/IEC 27001 Annex A control themes
Training Module
Auditing Information Security Controls (Annex A)
Audit control applicability, evidence expectations, and typical failure patterns across ISO/IEC 27001 Annex A control themes
Training Module
Auditing Information Security Controls (Annex A)
Audit control applicability, evidence expectations, and typical failure patterns across ISO/IEC 27001 Annex A control themes
Move from “control checklist” auditing to traceable assurance about how security actually operates
Annex A audits fail when controls are treated as static statements rather than working mechanisms with clear applicability, ownership, and evidence. This module equips auditors to challenge the Statement of Applicability, follow high-leverage audit trails, and recognise systemic ISMS weaknesses.
Move from “control checklist” auditing to traceable assurance about how security actually operates
Annex A audits fail when controls are treated as static statements rather than working mechanisms with clear applicability, ownership, and evidence. This module equips auditors to challenge the Statement of Applicability, follow high-leverage audit trails, and recognise systemic ISMS weaknesses.
Move from “control checklist” auditing to traceable assurance about how security actually operates
Annex A audits fail when controls are treated as static statements rather than working mechanisms with clear applicability, ownership, and evidence. This module equips auditors to challenge the Statement of Applicability, follow high-leverage audit trails, and recognise systemic ISMS weaknesses.
Training module overview
Training module overview
Training module overview
Many organisations can describe their Annex A controls but struggle to demonstrate why each control applies, how it is implemented, and whether it consistently operates across sites, teams, and suppliers. The result is an audit pattern of “policy evidence” without operational proof, and repeated findings that are symptoms of deeper system weaknesses.
This standard-specific audit add-on focuses on Annex A control applicability and rationale (via the Statement of Applicability), evidence expectations by control theme, and typical systemic ISMS failures. It assumes information security fundamentals are already covered elsewhere and does not re-teach generic audit craft; it applies audit judgement to ISO/IEC 27001’s control set for internal auditors and third-party auditors (e.g., certification bodies or independent assurance providers).
Many organisations can describe their Annex A controls but struggle to demonstrate why each control applies, how it is implemented, and whether it consistently operates across sites, teams, and suppliers. The result is an audit pattern of “policy evidence” without operational proof, and repeated findings that are symptoms of deeper system weaknesses.
This standard-specific audit add-on focuses on Annex A control applicability and rationale (via the Statement of Applicability), evidence expectations by control theme, and typical systemic ISMS failures. It assumes information security fundamentals are already covered elsewhere and does not re-teach generic audit craft; it applies audit judgement to ISO/IEC 27001’s control set for internal auditors and third-party auditors (e.g., certification bodies or independent assurance providers).
Applicable environments
This module focuses on auditing clauses and controls that are specific to ISO/IEC 27001. It is intended for auditors working with organisations operating an information security management system (ISMS) according to this standard.
Target audience
Target audience
Target audience
Aspiring auditors who want to audit against ISO/IEC 27001 following best practices
Practising ISO/IEC 27001 auditors who want to strengthen their audit knowledge, judgement, and effectiveness
Aspiring auditors who want to audit against ISO/IEC 27001 following best practices
Practising ISO/IEC 27001 auditors who want to strengthen their audit knowledge, judgement, and effectiveness
Decision support
Is this module for you?
It is a good fit if you…
aim to audit whether Annex A controls operate in practice, not just on paper.
want to test control applicability and rationale via the Statement of Applicability.
follow control claims end-to-end across policy, process, configuration, and records.
strengthen evidence-based judgement across different control themes.
seek audit findings that highlight systemic weaknesses, not checklist gaps.
aim to audit whether Annex A controls operate in practice, not just on paper.
want to test control applicability and rationale via the Statement of Applicability.
follow control claims end-to-end across policy, process, configuration, and records.
strengthen evidence-based judgement across different control themes.
seek audit findings that highlight systemic weaknesses, not checklist gaps.
If most of the points above apply, this module is likely a good fit.
It may not be the best fit if you…
primarily want to design, implement, or improve security controls.
expect control theory or technical implementation guidance.
prefer audits limited to documentation or policy consistency checks.
avoid challenging formally correct but weak control claims.
primarily want to design, implement, or improve security controls.
expect control theory or technical implementation guidance.
prefer audits limited to documentation or policy consistency checks.
avoid challenging formally correct but weak control claims.
Agenda
Agenda
Agenda
Annex A in an audit context
Control applicability and rationale
Evidence expectations by control theme (ISO/IEC 27001:2022 structure)
Physical controls: site realities, shared spaces, visitor and asset movement controls
Tracing one control claim through policy → process → configuration → records
Paper control sets: declared controls without operational ownership and verification
Case-based audit simulation
Show detailed agenda...
Annex A in an audit context
Control applicability and rationale
Evidence expectations by control theme (ISO/IEC 27001:2022 structure)
Physical controls: site realities, shared spaces, visitor and asset movement controls
Tracing one control claim through policy → process → configuration → records
Paper control sets: declared controls without operational ownership and verification
Case-based audit simulation
Show detailed agenda...
Annex A in an audit context
Control applicability and rationale
Evidence expectations by control theme (ISO/IEC 27001:2022 structure)
Physical controls: site realities, shared spaces, visitor and asset movement controls
Tracing one control claim through policy → process → configuration → records
Paper control sets: declared controls without operational ownership and verification
Case-based audit simulation
Show detailed agenda...
Learning outcomes
Learning outcomes
Learning outcomes
Key outcomes
Challenge Annex A control applicability decisions using consistent tests for rationale quality and scope fit
Distinguish control statement, implementation, and operation evidence, and identify which is missing
Identify expected evidence types by Annex A control theme
Challenge Annex A control applicability decisions using consistent tests for rationale quality and scope fit
Distinguish control statement, implementation, and operation evidence, and identify which is missing
Identify expected evidence types by Annex A control theme
Additional capabilities
Build practical, traceable audit trails from control intent to operational proof across functions and suppliers
Recognise recurring systemic ISMS failure patterns behind repeated control weaknesses
Apply Annex A auditing judgement in both internal audits and third-party assurance contexts without reverting to checklist auditing
Build practical, traceable audit trails from control intent to operational proof across functions and suppliers
Recognise recurring systemic ISMS failure patterns behind repeated control weaknesses
Apply Annex A auditing judgement in both internal audits and third-party assurance contexts without reverting to checklist auditing
Additional benefits
Additional benefits
Additional benefits
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
SoA credibility checklist (applicability, tailoring, rationale quality)
Annex A evidence expectation matrix (by control theme, evidence types, typical sources)
Audit trail mapping sheet (policy → process → configuration → records)
Systemic failure pattern library (red flags and likely root causes)
Evidence prompt list for distributed controls (multi-team, shared platforms, outsourced services)
SoA credibility checklist (applicability, tailoring, rationale quality)
Annex A evidence expectation matrix (by control theme, evidence types, typical sources)
Audit trail mapping sheet (policy → process → configuration → records)
Systemic failure pattern library (red flags and likely root causes)
Evidence prompt list for distributed controls (multi-team, shared platforms, outsourced services)
Confirmation
Certificate of completion
Module ID
HAM-IS-A-02
Domain
Audience
Auditor
Language
English
Delivery
Live virtual
Duration
3.5 h
List price
CHF 275
Excl. VAT. VAT may apply depending on customer location and status.
Delivery & learning format
Delivery & learning format
Delivery & learning format
Virtual live teaching
This module is delivered live, with a strong focus on discussion, practical application, and direct interaction with the instructor.
Sessions work through realistic examples, clarify concepts in context, and apply methods directly to participants’ organisational realities.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
Not sure if this module is right for you?
Not sure if this module is right for you?
Not sure if this module is right for you?
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes:
Auditor-level understanding of evidence, professional judgement, and findings discipline (audit craft is not re-taught here)
Working familiarity with ISO/IEC 27001 structure, including the role of the Statement of Applicability and Annex A controls
Information security fundamentals (e.g., access control, logging, change management, incident handling concepts) as baseline literacy
This module assumes:
Auditor-level understanding of evidence, professional judgement, and findings discipline (audit craft is not re-taught here)
Working familiarity with ISO/IEC 27001 structure, including the role of the Statement of Applicability and Annex A controls
Information security fundamentals (e.g., access control, logging, change management, incident handling concepts) as baseline literacy
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
Information Security Fundamentals II
Understand the core concepts behind detective and corrective controls, including logging and monitoring, incident response, backup, and recovery
7 h
Information Security Fundamentals II
Understand the core concepts behind detective and corrective controls, including logging and monitoring, incident response, backup, and recovery
7 h
Information Security Fundamentals II
Understand the core concepts behind detective and corrective controls, including logging and monitoring, incident response, backup, and recovery
7 h
Information Security Fundamentals I
Understand the core concepts behind preventive controls, including access management, cryptography, secure configuration, and protective design
7 h
Information Security Fundamentals I
Understand the core concepts behind preventive controls, including access management, cryptography, secure configuration, and protective design
7 h
Information Security Fundamentals I
Understand the core concepts behind preventive controls, including access management, cryptography, secure configuration, and protective design
7 h
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
After completion of this module, the following modules are ideal to further deepen your competence. If you are looking for a structured learning path, modules can also be taken as part of a professional track.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.