ISO 27001 • Internal Audit • OT Security • Backup Recovery • Supplier Risk
Checklist: Internal Audit Questions for OT Access, Backup Recovery, and Supplier Controls
Manufacturing organizations preparing for ISO 27001 audits often focus on policies and documentation. However, auditors want evidence that critical controls are working in practice. Three areas consistently create findings: OT access management, backup and recovery testing, and supplier controls.
Quick Snapshot
| Audit Area | Why It Matters |
|---|---|
| OT Access | Controls access to PLCs, HMIs, SCADA, engineering workstations, vendor sessions, and plant networks. |
| Backup Recovery | Proves that critical systems can be restored after ransomware, outage, corruption, or operational disruption. |
| Supplier Controls | Reviews suppliers, maintenance vendors, MSPs, software providers, and third parties with access to systems, data, or operations. |
| Evidence | Shows access reviews, restore tests, supplier reviews, contracts, vendor logs, corrective actions, and audit readiness. |
| Outcome | A stronger internal audit that finds control gaps before the external ISO 27001 audit does. |
Introduction
Manufacturing organizations preparing for ISO 27001 audits often spend a lot of time on policies, procedures, and document control.
That matters. But documentation alone is not enough.
Auditors want to know whether controls are actually working. They want to see evidence that access is reviewed, backups are tested, suppliers are managed, and corrective actions are tracked.
For manufacturers, internal audit should test operational reality, not just policy existence.
Three areas consistently create audit findings:
- OT access management
- backup and recovery testing
- supplier and vendor controls
This checklist gives manufacturing teams practical internal audit questions to identify gaps before an external ISO 27001 audit.
Need Help Preparing for an ISO 27001 Internal Audit?
Canadian Cyber helps manufacturers assess OT access controls, backup recovery programs, supplier risk management, ISO 27001 readiness, evidence collection, and internal audit preparation.
Why These Areas Matter
Operational technology, recovery capabilities, and third-party access directly affect the ability of a manufacturing organization to keep operating during cyber incidents and system outages.
| Business Area | Audit Relevance |
|---|---|
| Production Uptime | Weak OT access or recovery controls can increase downtime risk. |
| Cyber Resilience | Restore testing and supplier controls help reduce ransomware impact. |
| Customer Commitments | Audit evidence supports customer trust and contractual security expectations. |
| Regulatory Compliance | Documented controls support ISO 27001, insurance, and security review requirements. |
| Business Continuity | Tested recovery procedures help the business respond under pressure. |
Weak controls in OT access, backup recovery, or supplier management can increase the risk of downtime, ransomware impact, or unauthorized access.
OT Access Control Audit Questions
Operational Technology environments often include PLCs, HMIs, SCADA systems, engineering workstations, sensors, industrial networks, and plant support systems. Access to these systems should be controlled, approved, monitored, and reviewed.
User Access
| Audit Question | Yes / No |
|---|---|
| Is there a current inventory of OT users? | |
| Are user accounts assigned to named individuals? | |
| Are privileged accounts documented and approved? | |
| Are inactive accounts removed promptly? | |
| Are access reviews performed regularly? |
Remote Access
| Audit Question | Yes / No |
|---|---|
| Is remote OT access formally approved? | |
| Is MFA required for remote access? | |
| Are vendor sessions logged and monitored? | |
| Are remote access permissions reviewed periodically? | |
| Are emergency access activities documented? |
Evidence to Review
- OT user access reports
- privileged account reviews
- vendor access logs
- MFA configuration records
- access approval records
Internal audit focus:
Do not only ask whether OT access is controlled. Verify whether the access list is current, privileged users are approved, vendor sessions are logged, and emergency access is documented.
Review OT Access Before the Auditor Does
Canadian Cyber helps manufacturers assess OT access controls, remote vendor access, privileged accounts, MFA evidence, access reviews, and audit-ready documentation.
Backup and Recovery Audit Questions
Backups are only valuable if systems can be restored successfully. Internal audit should verify whether backup controls are operating and whether restore testing has been completed.
Backup Controls
| Audit Question | Yes / No |
|---|---|
| Are critical systems identified and prioritized? | |
| Are backups performed according to policy? | |
| Are backup failures reviewed and resolved? | |
| Are backups protected from ransomware? | |
| Are backup retention requirements defined? |
Recovery Testing
| Audit Question | Yes / No |
|---|---|
| Have restore tests been completed recently? | |
| Are restore results documented? | |
| Are recovery objectives defined? | |
| Are recovery procedures current? | |
| Are lessons learned tracked after testing? |
Evidence to Review
- backup reports
- restore test records
- recovery procedures
- business impact assessments
- corrective action logs
A backup policy does not prove recoverability. Restore test evidence does.
Validate Backup and Recovery Evidence
Canadian Cyber helps manufacturers review backup reports, restore testing evidence, recovery procedures, ransomware resilience, and corrective action tracking before ISO 27001 audits.
Supplier Control Audit Questions
Suppliers often have access to systems, facilities, data, production environments, equipment, maintenance processes, or operational dependencies. Internal audit should verify both supplier governance and supplier access controls.
Supplier Governance
| Audit Question | Yes / No |
|---|---|
| Is there a current supplier inventory? | |
| Are critical suppliers identified? | |
| Are supplier owners assigned internally? | |
| Are supplier reviews performed regularly? | |
| Are security requirements included in contracts? |
Supplier Access and Security
| Audit Question | Yes / No |
|---|---|
| Are supplier accounts reviewed periodically? | |
| Is remote supplier access approved and monitored? | |
| Is supplier security evidence collected? | |
| Are supplier incidents tracked and escalated? | |
| Are terminated supplier accounts removed promptly? |
Evidence to Review
- supplier register
- security questionnaires
- contracts and agreements
- vendor access reviews
- incident records
Strengthen Supplier Controls Before ISO 27001 Audit
Canadian Cyber helps manufacturers build supplier registers, review critical vendors, assess supplier security evidence, and prepare vendor access review documentation.
Internal Audit Red Flags
During internal audit, watch for these common findings. These issues often create audit observations, corrective actions, or external audit delays.
- Shared OT accounts with no ownership. Shared accounts make accountability difficult.
- Vendor access that is not reviewed. Supplier access can become invisible over time.
- Missing MFA for remote access. Remote access without MFA is a major risk.
- Untested backups. Backup success does not prove restore success.
- Failed restore tests with no remediation. Lessons learned must become corrective actions.
- Incomplete supplier inventories. You cannot review suppliers you have not identified.
- Expired supplier assessments. Supplier reviews must stay current.
- Missing evidence of access reviews. Auditors need proof, not verbal confirmation.
Quick Internal Audit Readiness Checklist
| Control Area | Ready? |
|---|---|
| OT user access reviews completed | |
| Vendor remote access reviewed | |
| MFA enabled for remote access | |
| Backup success monitored | |
| Restore testing completed | |
| Recovery procedures documented | |
| Critical suppliers identified | |
| Supplier security reviews completed | |
| Evidence available for auditors |
If several items are not ready, schedule remediation before the external ISO 27001 audit.
Organizing Internal Audit Evidence in SharePoint
A structured evidence workspace makes internal audit easier. Instead of chasing screenshots, reports, emails, spreadsheets, and vendor records across multiple tools, manufacturers can use SharePoint to centralize audit evidence.
| SharePoint Evidence Area | What to Store |
|---|---|
| OT Access Evidence | OT user reports, privileged access reviews, MFA records, vendor access logs. |
| Backup Recovery Evidence | Backup reports, restore tests, recovery procedures, corrective actions. |
| Supplier Evidence | Supplier register, questionnaires, contracts, vendor access reviews, incident records. |
| Internal Audit Tracker | Audit questions, evidence status, findings, owner, due date, remediation status. |
| Corrective Action Register | Audit gaps, root cause, action owner, completion date, validation evidence. |
Explore the ISMS SharePoint Solution
Canadian Cyber’s ISMS SharePoint solution helps manufacturers manage ISO 27001 evidence, internal audit records, corrective actions, OT access reviews, supplier controls, backup recovery evidence, and management review in one Microsoft 365 workspace.
Canadian Cyber’s Take
Manufacturing audits are increasingly focused on operational resilience.
Organizations that can demonstrate strong OT access controls, tested recovery capabilities, and effective supplier oversight are far better positioned for ISO 27001 audits and real-world cyber incidents.
Internal audits should verify not only that controls exist, but that they are consistently followed and supported by evidence.
The strongest internal audits find evidence gaps early, assign owners, track remediation, and prepare the organization before external audit pressure begins.
Takeaway
ISO 27001 internal audit should go beyond checking whether a policy exists.
For manufacturing organizations, internal audit should test whether:
- OT user access is current and reviewed
- remote access is approved, logged, and protected with MFA
- backups are monitored and restore testing is documented
- recovery objectives and procedures are current
- critical suppliers are identified and reviewed
- supplier access is monitored and removed when no longer needed
- evidence is organized and ready for auditors
When these areas are tested early, manufacturers reduce audit findings, improve resilience, and build stronger confidence in their ISMS.
How Canadian Cyber Can Help
Canadian Cyber helps manufacturers prepare for ISO 27001 internal audits with practical evidence reviews and operations-aware security guidance.
- OT access control reviews
- remote vendor access assessments
- backup and recovery evidence reviews
- restore testing documentation reviews
- supplier risk management reviews
- supplier register and vendor evidence support
- ISO 27001 readiness assessments
- internal audit preparation
- evidence collection and review
- SharePoint ISMS evidence workspace setup
- corrective action tracking and management review support
Stay Connected With Canadian Cyber
Follow Canadian Cyber for practical guidance on ISO 27001, internal audit, OT security, backup recovery, supplier risk, manufacturing cybersecurity, SharePoint ISMS, and vCISO support.
