ISO 9001 Program Checklist
Overview
Use the ISO 9001 Program Checklist to follow and move forward to be audit ready. You can download a copy of this checklist at the end of this article.
Learn more about continuous ISO 9001 compliance with TrustOps for ISO 9001!
ISO 9001 Audit Checklist
ISO 9001 CHECKLIST |
1 – SCOPE |
☐ Identify the people, processes, and technology that support your business.
☐ Have you identified the relevant stakeholders needs for your product/service? ☐Have you identified the most relevant laws and regulations relevant to your product/service? ☐ Have you identified a critical physical location relevant for your product/service? |
2 – STAGES |
☐ Identify the people, processes, technology, stakeholder needs, applicable legislation, and location that support your business. Both stages are performed during an ISO 9001 audit
☐ Stage 1 if you were asked to demonstrate the design and execution of controls ☐ Stage 2 if you were asked to demonstrate operating effectiveness of controls over a period of time, |
3 – GAP ANALYSIS |
☐ Identify your current documentation posture
☐ Have you specified and properly documented the activities and procedures that make up your company’s control environment? ☐ Do you review documents on a regular basis to make sure they are up to date and accurate? ☐ Do you have your Quality Management System (QMS) policy documented? ☐ Identify your current control environment posture ☐ What is the organization’s governance structure? ☐ What is the tone and example of executive leadership and management? ☐ Have you designed and implemented hiring and exit procedures? ☐ How are personnel who are implementing or directing internal controls evaluated for competency? ☐ Are possible threats being identified? ☐ Have you put any mitigating plans in place? ☐ Do you have a protocol for dealing with incidents and a disaster recovery plan in place? ☐ What kind of management supervision and governance do you have in place to control the environment and reporting events, security problems, and fraud? ☐ Have you established a Management Review Committee to discuss QMS specific topics? ☐ Identify your current security environment posture ☐ Do you have access limited to positions that need it, with the appropriateness of the access being reviewed on a regular basis? ☐ Do you have policies in place for giving and taking away access from workers, customers, and other parties? ☐ Do you encrypt data while it’s in transit and while it’s at rest? ☐ Do you impose restrictions on administrative access to the technological stack? ☐ Identify your current risk mitigation environment posture ☐ Have you conducted vulnerability assessments or penetration testing on a regular basis to detect weaknesses in your environment? ☐ Do you have backup processes in place? ☐ Do you test your disaster recovery procedures on a yearly basis to guarantee that you can restart operations in case of a calamity? ☐ Do you regularly check for intrusion attempts, system performance, and availability? ☐ Identify your current system changes and posture ☐ Are system modifications tested and authorized before they are implemented? ☐ Do you inform your employees about system changes? ☐ Are your controls being monitored on a regular basis? ☐ Have you enabled notification of settings changes? ☐ Is your technology up to date in terms of upgrades? ☐ Do you have a system in place for separating development and production tasks? ☐ Identify your current posture in a remote working environment. ☐ Is technology being used uniformly across all employee locations? ☐ Is time synchronization enabled on all employees workstations and software? ☐ Do you provide staff with regular security awareness training, address data privacy in common spaces, use secure connections while working from home, and raise awareness of phishing attempts? ☐ Do you use multifactor authentication to get into your company’s network and other systems? ☐ Have you deployed mobile device management to make sure that mobile devices are encrypted and authenticated? |
4 – CONTROL IMPLEMENTATION |
☐ Design the controls to address your gaps
☐ Implement controls to address your gaps ☐ Test the controls to ensure that they are operating effectively. |
5 – STATEMENT OF APPLICABILITY (SOA) |
☐ Document all your clause controls in an SOA
☐ Document all your Annex A controls in an SOA ☐ Document any non-applicability (i.e Physical Security) |
6- INTERNAL AUDIT |
☐ Identify an internal auditor
☐ Grant them access to TrustCloud. |
7 – AUDIT READY |
☐ Identify the auditor
☐ Initiate kickoff to set expectations ☐ Grant them access to TrustCloud. |
8 – MAINTENANCE |
☐ Maintain the program to show continuous compliance via TC integrations
☐ Perform surveillance audits every year |