Your-ultimate-guide-to-ISO-27001-Certification-Background

NAVIGATING ISO 27001

ISO 27001 Clause 9.2: Internal Audit

ISO 27001 made easy: A comprehensive guide to understanding the standard

Get your free guide

 

Get your free guide

Overview: ISO 27001 Requirement 9.2 

  1. Introduction

  2. What is an ISO 27001 Internal Audit?

  3. Why are ISO 27001 Internal Audits Important?

  4. Does ISO 27001 require an internal audit?

  5. What are ISO 27001 internal audit requirements?

  6. Where is an internal audit mandatory?

  7. How to plan and conduct an ISO 27001 internal audit

  8. What to look for during an ISO 27001 internal audit

  9. How to report on the findings of an ISO 27001 internal audit

ISO 27001 is an international standard that provides a framework for managing information security risks. It is used by organisations of all sizes and industries to protect their sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction.

One of the key requirements to obtain an ISO 27001 certification is to conduct regular internal audits of the information security management system (ISMS). Internal audits help organisations to identify and address any weaknesses in their ISMS and to ensure that it is operating effectively.

This article provides a comprehensive guide to ISO 27001 internal audit. It covers the following topics:

  • What is an ISO 27001 internal audit?

  • Why are ISO 27001 internal audits important?

  • How to plan and conduct an ISO 27001 internal audit

  • What to look for during an ISO 27001 internal audit

  • How to report on the findings of an ISO 27001 internal audit

  • Does ISO 27001 require an internal audit?

  • What are ISO 27001 internal audit requirements?

  • Where is an internal audit mandatory?

 

What is an ISO 27001 Internal Audit?

An ISO 27001 internal audit is an independent assessment of the ISMS to determine whether it is conforming to the requirements of ISO 27001 and whether it is operating effectively. The audit is conducted by an internal auditor who is independent of the ISMS being audited.

 

Why are ISO 27001 Internal Audits Important?

ISO 27001 internal audits are important for a number of reasons:

  • To comply with ISO 27001: ISO 27001 requires organisations to conduct regular internal audits of their ISMS.

  • To identify and address weaknesses in the ISMS: Internal audits can help organisations identify weaknesses in their information security management system (ISMS) before they are exploited by attackers.

  • To improve the effectiveness of the ISMS: Internal audits can help organisations identify areas where the ISMS can be improved.

  • To provide assurance to stakeholders: Internal audits can provide assurance to stakeholders that the ISMS is operating effectively and that the organisation is taking steps to protect its sensitive information.

Pass the external ISO 27001 audit in the first time with our 100% first-try pass rate

Our user-friendly web-based platform automates manual tasks while our in-house experts guide you every step of the way.

Book a demo
DG Seal ISO 27001

Does ISO 27001 require an internal audit?

Yes, ISO 27001 requires organisations to conduct regular internal audits of their information security management system. This is stated in Clause 9.2 of the standard, which states that:

The organisation shall conduct internal audits at planned intervals to provide information on whether the ISMS:

  1. conforms to the organisation's own requirements for its information security management system; and

  2. meets the requirements of this international standard.

The standard does not specify how often internal audits should be conducted, but it is recommended that they be conducted at least annually.

Internal audits are an important part of maintaining an effective ISMS. They help organisations to identify and address any weaknesses in their ISMS before they are exploited by attackers.

 

What are ISO 27001 internal audit requirements?

ISO 27001 audit requirements:

  • The audit must be conducted by an independent auditor who is qualified to audit ISO 27001.

  • The audit must be planned and conducted in accordance with a documented audit methodology.

  • The audit must cover all aspects of the ISMS, including risk assessment, information security controls, ISMS documentation, awareness and training, and management review.

  • The audit findings must be documented in a report that is submitted to the organisation's management.

Organisations that are certified according to ISO 27001 must also undergo an external audit by a certification body. There are two kinds of external audit, one conducted once annually called a surveillance audit where the ISMS will be reviewed as part of ongoing evaluation and the other known as a full external audit which is more in-depth and conducted every three years.

Benefits of ISO 27001 audit:

  • Improved information security posture

  • Reduced risk of information security incidents

  • Increased compliance with regulations

  • Improved customer confidence

  • Competitive advantage

If you are considering implementing ISO 27001 or if you are already certified, it is important to ensure that you are conducting regular internal audits. Internal audits are an essential tool for maintaining an effective ISMS and protecting your organisation from information security threats.

 

Where is an internal audit mandatory?

An internal audit is not required by law or regulation. However, it is a good practice for all organisations to conduct regular internal audits of their information security and other management systems.

In order to comply with ISO 27001, all companies must conduct internal audits, no matter their country or industry.

Get ISO 27001 certified in as little as 3 months.

Save yourself budget, time, and effort while building an ISMS with our easy-to-use platform. Get ready for the ISO 27001:2022 audit with up to 75% less workload.

Download your free guide now 
DG Seal ISO 27001

How to plan and conduct an ISO 27001 internal audit

To plan and conduct an ISO 27001 internal audit, organisations should follow the following steps:

  1. Define the scope of the audit: The first step is to define the scope of the audit. This includes identifying the ISMS processes and controls that will be audited.

  2. Develop an audit plan: The next step is to develop an audit plan. This plan should identify the audit objectives, the audit methodology, and the audit resources required.

  3. Conduct the audit: The audit should be conducted in accordance with the audit plan. This involves interviewing staff, reviewing documentation, and observing processes.

  4. Document the audit findings: The audit findings should be documented in a report. This report should include the audit objectives, the audit methodology, the audit findings, and any recommendations for improvement.

  5. Follow up on the audit findings: The organisation should follow up on the audit findings and implement any necessary corrective actions.

 

What to look for during an ISO 27001 internal audit

During an ISO 27001 internal audit, the auditor will look for evidence that the ISMS is conforming to the requirements of ISO 27001 and that it is operating effectively. The auditor will focus on the following areas and evidence that supports them:

  • Risk assessment: The auditor will assess whether the organisation has conducted a thorough risk assessment and whether the identified risks have been appropriately addressed.

  • Information security controls: The auditor will assess whether the organisation has implemented and is maintaining appropriate information security controls to mitigate the identified risks.

  • ISMS documentation: The auditor will assess whether the ISMS is adequately documented. You can find a list of the required documentation for the ISO 27001 certification here.

  • Awareness and training: The auditor will assess whether staff are aware of their information security responsibilities and have received appropriate training.

  • Management review: The auditor will assess whether the organisation conducts regular management reviews of the ISMS.

 

How to report on the findings of an ISO 27001 internal audit

The audit findings should be documented in a report. This report should include the following:

  • Audit objectives: The audit objectives should be clearly stated in the report.

  • Audit methodology: The audit methodology should be described in the report. This includes the audit techniques that were used and the sampling methods that were applied.

  • Audit findings: The audit findings should be described in the report. This includes a description of any weaknesses that were identified in the ISMS.

  • Recommendations: The report should include any recommendations for improvement.

The audit report should be submitted to the organisation's management

Save Money with ISO 27001

up to 50%

Cheaper than external consultants

Opt-in

up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate

100%

First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Get in touch

P I C

p

PRIVACY

External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts

i

INFOSEC

Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit

c

COMPLIANCE

Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates

ISO 27001:2022 requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information security policy

5.3 Organisational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Nonconformity and corrective action

10.2 Continual improvement

 

ISO 27001 Annex A

 

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.

 

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk