The ISO 27001 internal audit helps you examine your Information Security Management System (ISMS) before undergoing an ISO 27001 certification audit. It is a requirement under clause 9.2 of the ISO 27001 standard but does not require an external third party and, therefore, can be conducted by your organization’s staff. You can, however, choose to have an independent third party take some weight off your shoulders by performing the audit for you. The requirements and steps below will outline the internal audit process to help you decide which method is right for you and ensure that you comply with ISO 27001 standards.
Clause 9.2 Requirements by Section
Clause 9.2 has a total of seven parts that outline the specific requirements for internal auditing.
Clause 9.2.1.a – Organizational requirements
This section requires that your organization conducts regular internal audits to ensure that your ISMS conforms to your own requirements set out upon its implementation. The audit could be conducted at any time or cadence, but it should take place no less than once per year.
Clause 9.2.1.a.2 – ISO standard requirements
This section requires that the internal audit conforms to the requirements of the ISO 27001 standard.
Clause 9.2.1.c – Audit plan
This section requires that you plan, establish, implement, and maintain an internal audit program. The program should outline the planning requirements, the planned audit frequency and timing, the methods for conducting the audit, the assignment of responsibilities, and reporting.
Clause 9.2.2.a – Audit criteria and scope
This section requires that your organization define the criteria and scope for each internal audit. You may have an overall audit plan that covers general audit functions, but a plan should also exist for each individual audit that takes into account previous audits, current resources, and potential immediate risks.
Clause 9.2.2.b – Impartiality
This section requires the selection of impartial auditors to conduct the audit. The auditors may be staff of the organization, but they should not audit functions over which they own or control. Auditors who had or have a role in the ISMS development, maintenance, or direction may cause nonconformities in the audit as these auditors are not completely independent. Having an independent third party conduct the audit can ensure impartiality.
Clause 9.2.2.c – Reporting
This section requires the reporting of audit results to the appropriate management. The communication of results should happen via the regular management review process.
Clause 9.2.2.d – Audit record retention
This section requires the documentation and retention of the audit results, planning documentation, and records gathered during the audit.
Steps for Ensuring Compliance
The following steps outline the actions you should take to ensure compliance with the above ISO 27001 internal audit clauses.
1. Review your ISMS documentation
Per clause 9.2.1.a.2, the internal audit must provide information on whether your ISMS conforms to your organization’s requirements. Conduct a risk assessment and create a statement of applicability to determine what to audit and identify the main stakeholders involved.
2. Create an audit plan
Communicate with management to create an audit plan. The plan should
- Identify the scope of the audit, including the personnel, systems, and locations to be audited
- Outline the timing of the audit, including setting checkpoints for providing interim updates to the board.
- Identify the resources that are necessary for the audit and determine how and when to procure them
- Identify auditors to conduct the audit, whether impartial staff or independent, third-party consultants
Additionally, participants should take advantage of the planning process to voice potential concerns and address them before commencing the audit.
3. Conduct the audit
Evaluate your organization’s performance while ensuring unbiased evaluation. As the purpose of the audit is to discover problems that may result in failure of the external audit, it is in your best interest to identify all weak areas.
The evaluation should include:
- Reviewing all relevant data
- Observing how the ISMS performs
- Performing audit tests to gather and validate evidence
- Documenting the results by creating reports
4. Perform analysis of the collected evidence
Analyze the collected evidence to determine:
- If there are gaps in the evidence and thus the audit methods
- If the evidence is in line with the audit plan, scope, and objectives
- If any nonconformities exist in the ISMS operations
- Non-conformities
- Opportunities for improvement
- Actions to take towards achieving improvements
5. Create the report and present it to management
The audit’s findings must be reported to management in a final report that includes:
- An introduction clarifying the timing, extent, criteria, scope, and objectives of the audit
- An executive summary outlining key findings, analyses, and conclusions
- The full exposition of the audit findings, analysis, conclusions, and recommended actions
- Any scope limitations or constraints
- A conclusion with detailed recommendations
Moving Forward
Regular internal audits demonstrate proper implementation and active maintenance of an organization’s ISMS. By following the above steps, your organization not only stays in compliance with ISO 27001 requirements but also ensures that it is constantly improving its ISMS processes and security.
While the process is straightforward, it can be time-consuming and burdensome to fit into your daily operations. This time cost as well as the necessity for impartiality could make third-party auditing right for you.