ISO 27001 Firewall Audit Checklist: 12 Controls Auditors Actually Check

ISO 27001 certification auditors check specific firewall controls during every surveillance and recertification audit. Yet most security teams prepare by reading the entire Annex A control set instead of focusing on what auditors actually examine when they sit down with your firewall management team. This checklist covers the 12 controls that matter most — the ones that generate findings, hold up certifications, and cause the most pain when they are missing.

Whether you are preparing for your initial ISO 27001 certification or your annual surveillance audit, this guide maps each control to specific firewall evidence requirements so your team knows exactly what to prepare.

Why Firewalls Are Central to ISO 27001 Audits

Firewalls sit at the intersection of multiple Annex A control domains: network security, access control, change management, logging, and incident response. A single firewall touches controls from at least four different categories. This makes the firewall one of the most frequently examined assets during an ISO 27001 audit.

Auditors know this. They typically spend 2-4 hours specifically on firewall controls during a surveillance audit and 4-8 hours during initial certification. They will ask to see configurations, change logs, approval records, review evidence, and access control lists. Being prepared for these requests is the difference between a clean audit and a corrective action plan.

The 12 Controls Auditors Actually Check

The following controls from ISO 27001:2022 Annex A directly affect firewall management. For each control, we list what auditors look for and what evidence you need.

1. A.8.20 — Network Security

This is the primary firewall control. Auditors verify that network services, including firewalls, are identified, documented, and managed with defined security requirements. They want to see a network security architecture document that shows where firewalls are deployed, what they protect, and how they are configured at a high level.

2. A.8.21 — Security of Network Services

This control extends A.8.20 to cover managed services and third-party network security. If you use managed firewall services, cloud security groups, or SASE platforms, auditors will check that service level agreements include security requirements and that you have visibility into the configurations managed by third parties.

3. A.8.22 — Segregation in Networks

Network segmentation is one of the most closely examined controls. Auditors verify that different security domains (production, development, DMZ, management) are separated by firewalls with appropriate rules. They will ask to see specific rules that enforce segmentation and may request evidence that segmentation is tested periodically. This is closely related to your multi-vendor firewall management strategy if you use different firewalls for different segments.

4. A.5.1 — Policies for Information Security

Auditors expect a documented firewall management policy that covers rule creation, modification, deletion, review, and emergency changes. This policy should reference the organization's overall information security policy and define roles, responsibilities, and escalation procedures for firewall management.

5. A.8.9 — Configuration Management

This control requires that firewall configurations are managed through a defined process. Auditors check that configurations are baselined, changes are tracked, and there is a process to detect unauthorized modifications. This is where policy drift detection becomes essential — it provides continuous evidence that configurations match their approved baselines.

6. A.8.32 — Change Management

The change management control is where most audit findings occur. Auditors will select a sample of firewall changes from the past 12 months and trace each one through the full change management workflow: request, risk assessment, approval, implementation, and verification. If any step is missing from even one sampled change, it generates a nonconformity.

7. A.5.15 — Access Control

Auditors verify that access to firewall management interfaces is restricted to authorized personnel only. This means documented access control lists for who can log into each firewall, multi-factor authentication for management access, and evidence that access reviews are performed at least annually. Shared accounts or generic “admin” credentials are an immediate finding.

8. A.8.15 — Logging

Firewall logging must cover both traffic logs (what the firewall permitted and denied) and management logs (who logged in, what they changed, when). Auditors check that logs are sent to a centralized system, retained for the period defined in your policy (typically 12 months minimum), and protected from tampering. They may ask to see specific log entries for sampled changes.

9. A.8.16 — Monitoring Activities

Beyond logging, auditors want evidence that firewall events are actively monitored. This includes alerts for failed authentication attempts, configuration changes outside of approved windows, and traffic anomalies. If you have a SIEM integration, be prepared to show the alert rules and escalation procedures.

10. A.8.8 — Management of Technical Vulnerabilities

This control covers firewall firmware patching and vulnerability scanning. Auditors check that firewalls are on supported firmware versions, that known vulnerabilities are tracked and remediated within defined timelines, and that the vulnerability management process covers network infrastructure (not just servers and endpoints).

11. A.5.36 — Compliance with Policies

Auditors verify that regular reviews confirm firewall configurations comply with documented policies. This is the rule recertification control. Evidence must show that rule reviews happen at the frequency defined in your policy (typically quarterly or semi-annually), that findings are tracked to resolution, and that someone with appropriate authority signs off on the review.

12. A.5.24 — Information Security Incident Management

Firewall-related incidents must be handled through the incident management process. Auditors may ask for examples of firewall incidents (blocked attacks, misconfigurations causing outages, unauthorized changes) and how they were detected, responded to, and documented. This connects to your emergency change procedures.

Top 5 Audit Failures and How to Avoid Them

Audit Preparation Timeline

Start preparing at least 8 weeks before your audit date. Here is a suggested timeline:

How FwChange Maps to ISO 27001 Controls

FwChange automates evidence collection for 9 of the 12 controls listed above. The change management workflow (A.8.32) captures every request, approval, and implementation automatically. Rule analysis covers configuration management (A.8.9) and compliance reviews (A.5.36). Policy drift detection satisfies the monitoring requirement (A.8.16). The compliance reporting engine generates audit-ready evidence packages on demand.

Frequently Asked Questions

How many firewall changes will the auditor sample?

Typically 3-5 standard changes and 1-2 emergency changes from the past 12 months. Auditors may also ask for a denied change to verify the approval process works in both directions. For organizations with high change volumes, the sample size may increase to 8-10. The auditor selects the sample — you do not get to choose which changes are reviewed.

Do we need to document every single firewall rule?

ISO 27001 does not explicitly require documentation for every rule, but it does require that rules can be traced to a business justification and that the change that created them went through the change management process. In practice, this means every rule should have an associated change request. Legacy rules that predate your ISMS should be covered by a baseline review.

What is the difference between ISO 27001 and TISAX firewall requirements?

TISAX is based on the VDA Information Security Assessment (ISA), which aligns closely with ISO 27001 but adds automotive-specific requirements. For firewalls, TISAX adds explicit requirements around prototype data protection, supplier network segregation, and more prescriptive change management timelines. If you meet ISO 27001 firewall requirements, you cover approximately 80% of TISAX requirements.

How often should firewall rules be reviewed for ISO 27001?

The standard does not prescribe a specific frequency, but auditors expect at least annual reviews. Best practice is quarterly for high-risk firewalls (internet-facing, DMZ) and semi-annually for internal firewalls. Whatever frequency you define in your policy, you must demonstrate adherence. The BSI IT-Grundschutz recommends quarterly reviews as a baseline.