Internal audits must be conducted on a regular basis if your organisation wants to stay ISO 27001 compliant. An internal ISO 27001 audit ensures that your ISMS (Information Security Management System) continues to satisfy the standard's requirements and enable the continuous improvement of your data privacy framework.
This article explains what an internal audit is, how and why organisations should perform one, the standards that organisations must meet, and a brief checklist to help you prepare for the process.
In this article:
- What is an internal audit?
- What is covered under ISO 27001 Clause 9.2?
- How can an organisation conduct internal audits on an ISMS to comply with ISO 27001?
- Why do organisations need to audit their ISMS?
- ISO 27001 internal audit checklist
- How often does your organisation need to conduct an internal audit?
- What are the ISO 27001 requirements for an internal audit?
- What is the ISO 27001 internal audit process?
What is an internal audit?
An internal ISO 27001 audit involves a detailed assessment of your organisation’s ISMS to ensure that it complies with the standard's criteria.
Unlike a certification evaluation, it is carried out by your own employees, who will use the results to help shape the future of your ISMS. Clause 9.2 of ISO 27001 describes the requirements of an internal audit. Our essential guide to ISO 27001 will provide you with a further understanding of the ISO 27001 certification, its costs, and how it helps organisations in the long run.
The ISO 27001 internal audit examines your organisation’s Information Security Management System(ISMS). An internal audit will identify areas that require attention, helping you to enhance your organisation’s operations.
You may find opportunities for improvement by seeing how things are done and comparing them to how they should be done. At regular management review meetings, which should happen between one and four times a year, you should record these observations and analyse the audit results.
What is covered under ISO 27001 Clause 9.2?
Performance evaluation is clause 9 of ISO 27001:2013's management standards.
9.2 states that the organisation must conduct internal audits at predetermined intervals to determine whether the information security management system (ISMS):
- Complies with the organisation's own information security management system requirements.
- Meets the requirements of the ISO 27001 international standard.
- Whether the ISMS is installed and maintained properly.
In order to meet those objectives, the ISO auditor will check to verify if the organisation has completed the following:
- Whether an audit programme was planned, executed, and maintained.
- Whether the audit criteria for each audit and scope were defined
- Whether auditors are chosen for their objectivity and impartiality.
- Whether it was made sure that audits were reported to the appropriate management.
- Whether documented information was kept as proof.
How can an organisation conduct internal audits on an ISMS to comply with ISO 27001?
An internal audit process ensures that an organisation has taken all necessary precautions to verify the efficiency of its Information Security Management System (ISMS) against ISO 27001 requirements and the organisation's own ISMS criteria.
Internal audits must be done by independent and unbiased auditors to achieve this, according to the Standard (ISO/IEC 27001, 2013).
Why do organisations need to audit their ISMS?
Internal audits of ISO 27001 give assurance that the management system and its procedures are compliant with the standard's criteria. The procedures must be performed efficiently once they are communicated to the employees and managers in order to have a swift and efficient process.
The advantages of doing an internal audit include:
- Finding out about nonconformities before others do.
- Identifying areas that require attention to provide a solid security posture prior to a security event.
- Demonstrating and educating management about your dedication.
- Assisting employees in gaining a better grasp and awareness of the situation.
- Encouraging continuous progress.
The objective of the audit, as stated above, is to identify any non-conformities, establish the effectiveness of the ISMS, and give the organisation a chance to improve.
ISO 27001 internal audit checklist
Here is a five-step checklist that an organisation may use to achieve the ISO 27001 internal audit criteria.
- Examining the documentation
Start by going over the documentation you prepared during the implementation of your ISMS. This is because the audit's scope should correspond with your organisation. As a result, clear limitations will be established for what has to be audited. You should also identify the ISMS's major stakeholders. This will make it simple for you to request any paperwork needed throughout the audit.
- Review of the management
The audit activity starts to take shape at this point. Before drafting a thorough audit plan, consult with management to determine the audit's time frame and resources. Establishing goals at which you will deliver intermediate updates to the board is a common part of this. At this early stage, meeting with management allows both sides to express any issues they may have.
- Field Review
Typically, this will be the practical evaluation of your organisation that takes place.
- You will need to: Talk to front-line staff employees on how the ISMS works in practice.
- Validate evidence as it is acquired by conducting audit tests.
- Complete audit reports to keep track of each test's outcomes.
- Examine any ISMS papers, printouts, and other pertinent information.
The evidence gathered during the audit should be processed and examined in light of your organisation’s risk treatment plan and control goals. This approach may identify evidence gaps or highlight the necessity for more audit testing.
The findings of the audit must be presented to management. The following items should be included in your ISO 27001 internal audit report:
- The scope, objectives, timeline, and scope of the work completed are all clarified in this introduction.
- An executive summary including key findings, high-level analysis, and a conclusion is included.
- The report's target recipients, as well as categorization and dissemination rules, if applicable.
- An in-depth examination of the results. Conclusions and suggestions for improvement.
- A statement including suggestions or constraints on the scope of the project.
Because the final report usually includes management agreeing to an action plan, more review and amendment may be required.
How often does your organisation need to conduct an internal audit?
ISO 27001, like many other standards, does not define how often an organisation must conduct an internal audit.
This is because each organisation's ISMS is unique and must be addressed as such. An ISO 27001 internal audit should be performed at least once a year, according to experts. Although this may not always be practical, you should undertake an audit at least every three years.
Most ISO 27001 certification authorities verify an organisation's ISMS for this amount of time. This indicates that, beyond this stage, the organisation is likely to have gone out of compliance.
At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.
What are the ISO 27001 requirements for an internal audit?
Clause 9.2 of ISO/IEC 27001 specifies the internal audit requirements. Firstly, your organisation must keep in mind that the audit should not be a job that is restricted to one person or one team.
Implementing an audit process is an ongoing procedure that will be triggered at regular intervals or when there is a substantial change in the organisation, rather than a one-time action to gain certification.
Once the audit procedure has been set up, auditors have to be selected. When selecting auditors, ensure that they will be impartial and neutral. Identifying competent, unbiased, and objective auditor(s) for the purpose of achieving ISO 27001 criteria involves establishing requirements that would withstand any reprimand from other parties.
Internal individuals who are already auditors or those who are being trained to be auditors might be chosen as auditors. If you wish, you can seek outside assistance. You have complete freedom to choose, as long as these persons are not evaluating anything they helped design or implement.
To protect the three pillars of internal auditing: expertise, objectivity, and impartiality, it is normal practice to outsource this job.
What is the ISO 27001 internal audit process?
In general, a timetable or gantt chart must be created prior to starting the ISO 27001 internal audit process as this will help employees reserve their time accordingly and not during periods of high business activity.
This is especially important for organisations that are exposed to regulatory and customer audits on a frequent basis and wish to prevent 'audit fatigue.'
When conducting the audit, organisational sectors that are identified as important on the risk assessment report should be given more attention at first during the internal audit process.Similarly, if at all possible, avoid conducting lengthy audits of certain organisational sectors to prevent concerns that certain departments or activities are being singled out or ignored.
It is also important that the audit is recorded, usually in the form of a report that details who was contacted, what was said, and, most crucially, what evidence was discovered, as well as a summary of the results. It should also include:
- Nonconformities identified if any
- Opportunities for improvement
The final internal audit report will provide important information to the management when it is under review by them as the report will include data privacy concerns within the organisation and the overall security of the organisation's ISMS.
Internal audit, as one of the most important management system processes, will benefit both internal and external stakeholders. This includes:
- Demonstrating that an organisation implements and actively maintains its ISMS.
- Senior management is actively involved in ensuring that the ISMS is fit for purpose.
- The organisation is constantly working to improve its ISMS, and that ISMS processes and security controls are reviewed and audited on a regular basis.
Do you need assistance navigating the information security world or preparing for a certification audit? We are happy to assist you; Get in touch with one of our experts today.