ISO 9001: 2015 - Internal Audit Checklist for IT Process in Manufacturing
Master ISO 9001 IT systems and data security audits with this comprehensive tabular technology checklist. This guide provides practical audit questions covering data backup and recovery, disaster recovery planning, cybersecurity risk management, infrastructure support systems, access control and data protection, equipment maintenance, IT security, business continuity, and IT roles and responsibilities. Quick reference format for auditing the IT infrastructure supporting QMS operations.
π Quick Navigation
πΎ Data Backup and Document Management (Clause 7.5)
Verify that important QMS and business documents are backed up regularly. Check that backup schedules are documented and backup integrity is tested periodically.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 7.5 | Are important QMS/Business documents backed up regularly? | Backup schedule documented (daily/weekly), backup automation configured, backup logs maintained, backup frequency appropriate for criticality |
| 7.5 | Is backup integrity tested periodically? | Backup restoration tests conducted, test results documented, backup data verified as readable, recovery procedures validated |
⚠️ Critical: A backup that can't be restored is worthless. Regular testing ensures data recovery when needed.
π Disaster Recovery and Business Continuity (Clause 7.5 & 6.1)
Verify that a disaster recovery plan exists with backup locations and recovery time objectives. Check that the plan is documented and tested.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 7.5 | Is there a disaster recovery plan if IT systems fail? | DR plan documented with backup location, recovery time objectives (RTO) defined, recovery point objectives (RPO) specified, procedures detailed |
| 6.1 | Has the disaster recovery plan been tested? | DR test conducted recently, test results documented, time to recover measured, issues identified and addressed, plan updated based on test findings |
Recovery Metrics: RTO = how long before systems recover. RPO = how much data loss acceptable. Both should be defined based on business criticality.
π Data Security and Access Control (Clause 7.5.3)
Verify that access to sensitive QMS data is restricted through authentication and authorization. Check that password policies are enforced and user access is controlled.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 7.5.3 | Is access to sensitive QMS data restricted? (password protection, role-based access) | Username/password login required, role-based access controls (RBAC) implemented, user access provisioned by role, access logs maintained |
| 7.5.3 | Are password policies enforced? (complexity, length, change frequency) | Password minimum length set (8+ characters), complexity required (upper, lower, numbers, special characters), expiration policy (30-90 days), password history tracked |
⚠️ Risk: Weak access controls could allow unauthorized changes to QMS data, inspection records, or quality decisions - undermining system integrity.
π€ User Access Management and Segregation of Duties (Clause 7.5.3)
Verify that user access is granted based on job role and principle of least privilege. Check that access rights are reviewed periodically and removed when no longer needed.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 7.5.3 | Is user access granted based on job role and least privilege principle? | Access rights assigned per role, users have only necessary permissions, approval process for new access, role documentation maintained |
| 7.5.3 | Are user access rights reviewed periodically? | Access review conducted quarterly or annually, terminated employees removed from systems promptly, role changes updated in system |
| 7.5.3 | Is there segregation of duties to prevent fraud or errors? | No one person can create-approve-process cycles, transaction review built into workflow, authorization separates data creation from approval |
Segregation of Duties: Critical transactions (purchase orders, inspection approval, product release) should not be performed by single person.
π‘️ Cybersecurity Risk Management (Clause 6.1)
Verify that cybersecurity risks are identified and mitigation strategies are in place. Check for controls against hacking, malware, and data breaches.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 6.1 | Are cybersecurity risks identified? (hacking, malware, data breach, ransomware) | Risk assessment conducted, cybersecurity threats documented, vulnerability scanning performed, threat landscape monitored |
| 6.1 | Are controls in place to prevent cyberattacks? | Firewall configured, antivirus/antimalware active, intrusion detection systems, email filtering, updates/patches current, network monitoring |
⚠️ Critical Threat: Ransomware attacks on manufacturing can halt production for days. Regular backups and network isolation are critical.
π️ IT Infrastructure and Systems (Clause 7.1.3)
Verify that adequate IT infrastructure is provided to support QMS operations. Check that systems are reliable and support organization's needs.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 7.1.3 | Is IT infrastructure adequate for QMS operations? | Network bandwidth sufficient, servers reliable, storage capacity adequate, software licenses current, integration between systems functional |
| 7.1.3 | Are computers and equipment regularly maintained and updated? | Preventive maintenance schedule followed, security patches applied promptly, OS updates installed, hardware checked for issues |
⚡ Backup Power Systems (Clause 7.1.3)
Verify that uninterruptible power supply (UPS) or backup generators are available to prevent data loss during power failures.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 7.1.3 | Are backup power systems (UPS/generators) available? | UPS installed for critical systems, battery capacity adequate, generator available if needed, power conditioning monitored, outage history tracked |
| 7.1.3 | Is backup power system tested regularly? | UPS battery tested periodically, generator start-up tested monthly, failover to backup power verified, maintenance records maintained |
Uptime Requirement: Every minute of system downtime costs money and can impact product quality. Backup power prevents data corruption from unexpected outages.
π§ Equipment Maintenance and Support (Clause 7.1.3)
Verify that IT equipment receives preventive maintenance and vendor support contracts are in place for critical systems.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 7.1.3 | Is preventive maintenance performed on IT equipment? | Maintenance schedule documented, cleaning performed regularly, disk space monitored, system performance monitored, issues logged and tracked |
| 7.1.3 | Are vendor support contracts in place for critical systems? | Support contracts current for servers/databases, warranty coverage verified, support response time defined, escalation procedures documented |
π Physical Security and Work Area Control (Clause 7.1.4)
Verify that IT work areas are secure with restricted access. Check that equipment is protected from physical damage or unauthorized tampering.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 7.1.4 | Are IT work areas secure with restricted access? (server room, data center) | Server room locked, access via keycard/biometric, visitor log maintained, access restricted to authorized personnel only, CCTV monitoring |
| 7.1.4 | Are equipment and cables protected from physical damage or tampering? | Servers secured in racks, cable management organized, no exposed cables, environmental monitoring (temperature/humidity), cable locks where applicable |
⚠️ Threat: Physical access to servers allows data theft, tampering, or destruction. Server room access control is essential.
π Business Continuity Planning (Clause 6.1 & 7.5)
Verify that business continuity and IT contingency plans are in place to minimize impact of IT disruptions.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 6.1 | Is there a business continuity plan for IT disruptions? | BCP documented, critical functions identified, recovery procedures defined, alternate locations identified, communication plan established |
| 6.1 | Are manual procedures available if systems fail? | Workaround procedures documented for critical processes, paper-based backup procedures, training on manual processes, regular drills conducted |
Continuity Requirement: Business can't wait for IT repairs. Have manual processes to keep critical operations running during outages.
π₯ IT Roles and Responsibilities (Clause 5.3)
Verify that IT responsibilities are clearly defined and understood by team members. Check that IT support is available and responsive.
| CLAUSE | AUDIT QUESTION | WHAT TO LOOK FOR |
|---|---|---|
| 5.3 | Are IT responsibilities documented and understood? | IT job descriptions defined, skills identified, support procedures documented, escalation path clear, on-call procedures established |
| 5.3 | Is IT support available and responsive? | Help desk/support contact available, response time targets set, issue tracking system used, tickets tracked to resolution |
π IT Systems Audit Best Practices
Before the Audit
| π Understand IT Environment | Review systems inventory, network diagram, application list to understand IT infrastructure |
| π Review IT Policies | Backup policy, disaster recovery plan, security policy, access control procedures |
| π️ Schedule IT Review | Meet with IT manager, security officer, system administrators for interviews |
| π Prepare Questions | Use this checklist, understand systems, focus on critical infrastructure |
During the Audit
| π€ Interview IT Team | Ask about backup procedures, disaster recovery, security controls, system maintenance |
| π Review Security Controls | Observe password policies, access controls, physical security, encryption settings |
| πΎ Verify Backups | Check backup logs, verify recent backup completed, ask about last restoration test |
| π Review Documentation | Check DR plan, BCP, system maintenance logs, access control records |
| π’ Tour IT Facilities | Visit server room, check access control, power systems, environmental monitoring |
| π§ Check Maintenance | Verify equipment updates current, patches applied, maintenance schedule followed |
After the Audit
| π Comprehensive Report | Document IT infrastructure adequacy, security posture, backup/recovery readiness |
| ⭐ Rate IT System | Overall assessment of IT system resilience, security, and support effectiveness |
| π― Provide Recommendations | Suggest security improvements, infrastructure upgrades, business continuity enhancements |
| ✅ Require Actions | For nonconformities, require corrective actions with specific timelines |
| π Follow-Up | Verify IT improvements implemented in next audit |
π© Common IT and Data Security Findings
| No Backup Procedures | Data not backed up regularly or backup schedule not documented |
| No Disaster Recovery | No DR plan documented or tested; recovery procedures undefined |
| Weak Access Control | Passwords weak or not enforced; users have excessive permissions |
| No Segregation of Duties | Single person can create transactions and approve them (fraud risk) |
| Unpatched Systems | Security patches not applied; systems vulnerable to attacks |
| No Backup Power | No UPS or backup power; data loss risk during outages |
| Poor Physical Security | Server room access unrestricted; equipment at risk of tampering |
| No Cybersecurity Plan | Cybersecurity risks not identified; no defense against hacking/malware |
| Outdated Equipment | Servers/systems old; maintenance difficult, no vendor support |
| No Business Continuity | No workaround procedures if systems fail; critical operations halt |
✨ Conclusion
This comprehensive ISO 9001 IT systems and data security audit checklist in tabular format covers all critical IT infrastructure aspects supporting QMS operations from data backup through cybersecurity and business continuity. Effective IT audits verify that systems are reliable, data is protected and recoverable, and backup procedures ensure operational resilience. Strong IT infrastructure and security controls are essential for maintaining QMS integrity, protecting confidential data, and ensuring business continuity during disruptions.
Remember: IT systems support all QMS processes. Without reliable systems, secure data, and recovery capabilities, the entire quality system is at risk. Investing in robust IT infrastructure is essential for QMS success.
π Explore Related Audit Guides
This blog is part of a comprehensive ISO 9001 internal audit series:
