You should consider questions and checklists that are asked in ISO-audits

You may refer the related resources available online. Some relevant links are as follows:

1. https://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf

2. https://elsmar.com/elsmarqualityforum/threads/iso-27001-2013-isms-internal-audit-checklist-questionnaire.64626/

The safest way is to start with the standard ISO/IEC 27001 itself: https://www.iso.org/standard/54534.html

The Annex A at the end of the standard should be your primary resource for your activities. There are control objectives and controls, so it can be your check list.

Also, you need to get ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls: https://www.iso.org/standard/54533.html

As it is stated on the ISO site, ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).

It is designed to be used by organizations that intend to:

I suggest you to do a SOA (statement of applicability) following Annex A and considering a fuzzy score for each control related to your scenario.

You can find some interesting free example on google (es. https://www.iso27001security.com/ISO27k_ISMS_and_controls_status_with_SoA_and_gaps.xlsx ).