Skip to content

Internal Audit Plan — March 2026 (Initial)

Document ID: AUDIT-001 Audit type: Full ISMS Audit (Initial) Audit date: 30 March 2026 Auditor: Sebastian Windeck (CTO) — areas not under CTO operational control audited by Jan Marc Castlunger (ISO) Audit scope: Full ISMS — all ISO 27001:2022 clauses and Annex A controls in scope

1. Objective

Conduct the first internal audit of the ISMS to:

  • Verify that the ISMS conforms to ISO 27001:2022 requirements
  • Confirm that documented controls are implemented and effective
  • Identify nonconformities and areas for improvement before the Stage 1 certification audit (target: May 2026)
  • Establish baseline audit evidence for SOC 2 readiness

2. Scope

Area Included Auditor
ISMS governance (Clauses 4-10) Jan Marc Castlunger (ISO)
Organisational controls (Annex A 5.x) Sebastian Windeck (CTO)
People controls (Annex A 6.x) Sebastian Windeck (CTO)
Physical controls (Annex A 7.x) Sebastian Windeck (CTO)
Technical controls (Annex A 8.x) Jan Marc Castlunger (ISO)
SOC 2 alignment check Sebastian Windeck (CTO)

Auditor Independence

Per Internal Audit Procedure Section 5: for a small organisation (4-10 staff), each auditor audits areas outside their direct operational responsibility. Sebastian audits governance and people controls; Jan Marc audits technical infrastructure controls.

3. Audit Criteria

Criteria Reference
ISO/IEC 27001:2022 Clauses 4-10 Mandatory management system requirements
ISO/IEC 27001:2022 Annex A Controls per Statement of Applicability
Internal ISMS policies and procedures All POL-xxx and PROC-xxx documents
SOC 2 Trust Services Criteria Cross-reference alignment check

4. Audit Schedule — 30 March 2026

Time Area Clause/Control Auditor Interviewee
09:00 - 09:30 Opening meeting Both All
09:30 - 10:15 Context & scope 4.1, 4.2, 4.3, 4.4 Jan Marc Jan Marc
10:15 - 11:00 Leadership & planning 5.1, 5.2, 5.3, 6.1, 6.2, 6.3 Sebastian Jan Marc
11:00 - 11:15 Break
11:15 - 12:00 Policies & documentation 5.1, 5.9, 5.10, 5.12, 5.15 Sebastian Jan Marc
12:00 - 12:45 People controls 6.1, 6.3, 6.4, 6.5, 6.8 Sebastian Jan Marc
12:45 - 13:30 Lunch break
13:30 - 14:30 Technical controls (access, crypto, network) 8.2, 8.3, 8.5, 8.20, 8.24 Jan Marc Sebastian
14:30 - 15:30 Technical controls (ops, dev, monitoring) 8.7, 8.8, 8.9, 8.15, 8.16, 8.25, 8.29, 8.32 Jan Marc Sebastian
15:30 - 15:45 Break
15:45 - 16:30 Risk & incident management 5.24-5.27, 6.1.2, 6.1.3, 8.2, 8.3 Sebastian Jan Marc
16:30 - 17:00 BCP, supplier management, SOC 2 alignment 5.19, 5.23, 5.29, 5.30 Sebastian Jan Marc
17:00 - 17:30 Closing meeting & preliminary findings Both All

5. Evidence to Review

The following evidence will be examined during the audit. Reference: Evidence Index

Governance & Documentation

  • [ ] ISMS Scope document (ISO-001)
  • [ ] Information Security Policy — signed and communicated (POL-001)
  • [ ] ISMS Objectives — approved (ISO-005)
  • [ ] Statement of Applicability — current (ISO-002)
  • [ ] Risk Register — complete with residual risk acceptance (REG-002)
  • [ ] Management review minutes (initial review: 21 March 2026)
  • [ ] Document control: version history, approval records

Access Control & Identity

  • [ ] Azure AD user list with role assignments
  • [ ] MFA enforcement configuration (Azure, GitHub, Google)
  • [ ] RBAC role assignment evidence
  • [ ] GitHub access audit log
  • [ ] Access review records (or confirmation that first review is scheduled Q2 2026)

Technical Controls

  • [ ] Azure Security Center compliance score
  • [ ] Vulnerability scan reports
  • [ ] TLS configuration (SSL Labs report)
  • [ ] Azure Key Vault access logs and auto-rotation config
  • [ ] Azure Monitor log retention settings (current: 30-day)
  • [ ] NSG and firewall rules
  • [ ] GitHub branch protection rules
  • [ ] CI/CD pipeline configuration
  • [ ] SAST/GHAS scan results
  • [ ] Terraform IaC configuration

Operations & Incident Management

  • [ ] Incident Response Plan (PROC-001)
  • [ ] Emergency contact list — verified current
  • [ ] Business Continuity Plan (PROC-002)
  • [ ] Backup restore test records
  • [ ] Patch management records

People & Training

  • [ ] Security awareness training completion records (2026)
  • [ ] Employment contracts (confirm existence)
  • [ ] NDA status (gap acknowledged — R14)
  • [ ] Onboarding/offboarding checklists

Suppliers

  • [ ] Supplier register (REG-003)
  • [ ] DPA evidence (Azure, GitHub, Google)
  • [ ] Supplier risk assessment

6. Known Gaps (Pre-Audit)

The following items are already documented as gaps. The audit will verify the gap status and ensure corrective actions are in place:

Item Gap Risk Ref Corrective Action Status
Log retention 30-day rolling (target: 90+ days) R12 Planned Q2 2026
NDAs Not formalised R14 Planned Q2 2026
Penetration test Not yet conducted Planned Q2 2026
Azure PIM Not active (standard RBAC) Planned Q3 2026
Background checks Process being formalised Planned Q2 2026
Phishing simulation Not yet conducted R07 Planned Q2 2026

7. Findings Classification

Per Internal Audit Procedure Section 4.3:

Classification Definition Action Required
Major nonconformity Control absent or fundamentally ineffective Corrective action within 30 days
Minor nonconformity Control exists but partially ineffective Corrective action within 90 days
Observation Opportunity for improvement Noted for next review
Conformity Control meets requirements No action

8. Deliverables

Deliverable Target Date Owner
Completed audit checklist 30 March 2026 Both auditors
Draft audit report 4 April 2026 Sebastian Windeck (CTO)
Final audit report 7 April 2026 Jan Marc Castlunger (ISO)
Corrective action plan (if needed) 14 April 2026 Jan Marc Castlunger (ISO)

9. Distribution

This audit plan is distributed to:

  • Jan Marc Castlunger (CEO / ISO)
  • Sebastian Windeck (CTO / DPO)
  • Malte Toetzke (Chief of AI)

Reference: Internal Audit Procedure (PROC-003) Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH