Training Module
Auditing Information Security Controls
Evaluate control applicability, implementation evidence & common failure patterns across ISO/IEC 27001 Annex A control themes
Training module overview
Many organisations can describe their Annex A controls but struggle to demonstrate why each control applies, how it is implemented, and whether it consistently operates across sites, teams, and suppliers. The result is an audit pattern of “policy evidence” without operational proof, and repeated findings that are symptoms of deeper system weaknesses.
This standard-specific auditing module focuses on Annex A control applicability and rationale (via the Statement of Applicability), evidence expectations by control theme, and typical systemic ISMS failures. It assumes information security fundamentals are already covered elsewhere and does not re-teach generic audit craft; it applies audit judgement to ISO/IEC 27001’s control set for internal auditors and third-party auditors (e.g., certification bodies or independent assurance providers).
Applicable environments
This module focuses on auditing clauses and controls that are specific to ISO/IEC 27001. It is intended for auditors working with organisations operating an information security management system (ISMS) according to this standard.
Target audience
Aspiring auditors who want to audit against ISO/IEC 27001 following best practices
Practising ISO/IEC 27001 auditors who want to strengthen their audit knowledge, judgement, and effectiveness
Decision support
Is this module for you?
It is a good fit if you…
aim to audit whether Annex A controls operate in practice, not just on paper.
want to test control applicability and rationale via the Statement of Applicability.
follow control claims end-to-end across policy, process, configuration, and records.
strengthen evidence-based judgement across different control themes.
seek audit findings that highlight systemic weaknesses, not checklist gaps.
If most of the points above apply, this module is likely a good fit.
It may not be the best fit if you…
primarily want to design, implement, or improve security controls.
expect control theory or technical implementation guidance.
prefer audits limited to documentation or policy consistency checks.
avoid challenging formally correct but weak control claims.
Agenda
Annex A in an audit context
Control applicability and rationale
Evidence expectations by control theme (ISO/IEC 27001:2022)
Physical controls in real environments
Tracing one control end-to-end
Paper control sets and drift patterns
Case-based audit simulation
Show detailed agenda...
Learning outcomes
Key outcomes
Challenge Annex A control applicability decisions using consistent tests for rationale quality and scope fit
Distinguish control statement, implementation, and operation evidence, and identify which is missing
Identify expected evidence types by Annex A control theme
Additional capabilities
Build practical, traceable audit trails from control intent to operational proof across functions and suppliers
Recognise recurring systemic ISMS failure patterns behind repeated control weaknesses
Apply Annex A auditing judgement in both internal audits and third-party assurance contexts without reverting to checklist auditing
Additional benefits
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
Audit interview planning tool
Documented information checklist
Sampling tool
Audit analysis worksheets
Failure pattern library
Supporting AI prompt set
Confirmation
Certificate of completion
Module ID
HAM-IS-A-02
Discipline
ISO clause
8: Operation
Audience
Auditor
Languages
English
Delivery
Live virtual
Duration
7 h
List price
CHF 550
Excl. VAT. VAT may apply depending on customer location and status.
Delivery & learning format
Virtual live teaching
This module is delivered live, with a strong focus on discussion, practical application, and direct interaction with the instructor.
Sessions work through realistic examples, clarify concepts in context, and apply methods directly to participants’ organisational realities.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes:
Auditor-level understanding of evidence, professional judgement, and findings discipline (audit craft is not re-taught here)
Working familiarity with ISO/IEC 27001 structure, including the role of the Statement of Applicability and Annex A controls
Information security fundamentals (e.g., access control, logging, change management, incident handling concepts) as baseline literacy
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
