So, you’ve managed to attain certification to ISO 27001. You’ve strengthened your business’ information security, providing the platform for success. But, the work doesn’t stop there. To stay compliant with the requirements of the iso 27001 Standard, you must carry out an ISO 27001 internal audit regularly.
Developing an Information Security Management System (ISMS) is just the beginning of the process. An ISO 27001 internal audit is carried out by your business to assess if your ISMS still satisfies the criteria set out in ISO 27001.
To shed some light on carrying out an internal audit for ISO 27001, we’ve pulled together some valuable tips and insights to help you. So, let’s dive in and untangle the world of ISO 27001 internal audits!
What does an ISO 27001 internal audit require?
After obtaining certification to ISO 27001, you may be forgiven for thinking that your business is safeguarded against cyber threats and that no further action is needed. Although there is lots of work to prepare your business and develop a stringent ISMS, the work is never fully completed. Think of it this way, would you carry out renovation works on your property and not continue making improvements as time goes on? The same premise applies to your ISMS. An ISO 27001 internal audit is different from certification, as it requires you to assess the functions of your ISMS.
Whereas ISO 27001 certification is carried out by an accredited external ISO 27001 auditor, the ISO 27001 internal audit is done by you. The internal audit aims to examine the ISMS in full, so you can determine what is working well and what needs improving to refine your information security measures. It can help you discover ISO 27001 non-conformances that can be damaging to the functioning of your business.
An ISO 27001 internal audit helps to raise awareness for your employees, so you can align your business on the required fixes to solidify your information security management system.
ISO 27001:2022 and internal audits
Much like the ISO 27001:2013 Standard, the Internal Audit Clause 9.2 remains the same in the revised ISO 27001:2022 Standard. The only changes made were to the wording of the Clause, with the creation of two new separate sub-clauses.
The new Clause 9.2.1 states that:
An organisation shall conduct internal audits at planned intervals to provide information on whether the ISMS:
- Conforms to the organisation’s requirements for the ISMS.
- That the requirements of the ISMS are being effectively implemented and maintained.
- That the ISMS is installed and maintained properly.
Clause 9.2.2 looks at the Internal Audit Programme and states that the ‘organisation shall plan, establish, implement and maintain an audit programme that includes the frequency, methods, responsibilities, planning requirements and reporting’.
When establishing the internal audit programme, your business should consider the importance of the processes concerned and the results of previous audits. This should be carried out by:
- Defining the audit criteria and scope for each audit.
- Selecting auditors to conduct audits that are objective and impartial.
- The results of the ISO 27001 internal audit are reported to all relevant parties within your business.
- All information should be documented and made available as evidence of the implementation of the audit programme and audit results.
How often should I carry out an ISO 27001 internal audit?
Whilst there isn’t a set time frame to carry out an ISO 27001 internal audit, we recommend that you carry out an audit on an annual basis at the very minimum. Every organisation’s ISMS is unique and comprises many different variables. Whilst it may not always be practical to undertake an ISO 27001 internal audit frequently, the certification for ISO 27001 usually spans one year. Therefore, an annual audit should be prioritised to help you keep within the boundaries of compliance.
The benefits of an ISO 27001 internal audit
Being a proactive business should be a priority for your organisation. Seizing the initiative means you can cultivate a platform for success, iron out any gaps in your processes and aim for continuous improvement. Internal audits for ISO 27001 help to highlight any pesky parts pulling down certain procedures across the business.
By carrying out your internal audit sufficiently, you’ll be able to oversee your ISMS in greater detail, ensuring that:
- Any vulnerabilities and non-conformities are recognised early on, so the appropriate course of action can be applied.
- Conduct regular ISO 27001 risk assessments that help identify new threats to your information security.
- Developing a platform for your business to help build and sustain cyber resilience
- Enhance lines of communication between employees, managers and stakeholders concerning the ISMS.
- Develop a strong foundation for continuous improvement across the organisation – in line with the criteria of ISO 27001.
The internal audit for ISO 27001 is your foundation for success. Its premise is straightforward – to close gaps in your ISMS and minimise non-conformities so you stay compliant with the Standard. These principles will help transform your business into a seamless operation, offering strong protection against information security breaches.
The ISO 27001 internal audit checklist
A checklist is the best way to carefully analyse each part of the ISO 27001 internal audit to make sure you have everything you need ahead of it. Generally, there is a five-step approach to take when carrying out an ISO 27001 internal audit. You should consider the following elements as part of your ISO 27001 internal audit checklist.
- Define the scope of the audit and who will carry out the auditing process
- Gather all the relevant documentation you need to evidence your processes
- The internal auditor or auditing team will review the ISMS and documentation
- The report will be written following the conclusion of the auditing process
- Management will review the findings and highlight the necessary action to take
Let’s drill down into the details of each stage of the audit process a little more…
Step 1: Defining the scope of the internal audit
At the outset, your ISO 27001 assessment should be carried out to establish a plan. This should include scrutiny of your information systems and assets, which you should list in full. A handy tip is to align the criteria of the relevant ISO 27001:2022 Standard and Annex A controls against your assets.
Step 2: Gathering your documentation
Whoever is carrying out the ISO 27001 internal audit, they’ll need to see your information security policies, the ISO 27001 controls you’ve applied and all supporting documentation to evidence the changes you’ve made. Here’s a little round-up of the type of documents you’ll need to have ready to show.
- A Statement of your ISMS Scope – This will appear in your ISO 27001 certificate and is a statement outlining the information and processes that the ISMS safeguards.
- Information Security Policy – This document demonstrates to the auditor the business approach to information security.
- ISO 27001 Risk Assessment – As we’ve touched upon, the risk assessment is crucial to the audit process. It communicates your intentions as a business, what your commitments are and the measures you;’ll take to reach those goals. Above all else, it should reflect the level of risk tolerance that your business can withstand and the response to each risk.
- Meeting minutes – It’s important that managerial teams are at the forefront of the business’ approach to information security. Meeting minutes are a vital component that shows your commitment to the purpose and objectives of information security.
- Gap analysis – An effective gap analysis helps address vulnerabilities and issues with non-conformance.
- Business Continuity Policy – Should the worst happen and a cyber attack impacts your business, you should have a business continuity plan in place to help negate the impact of this.
Step 3: Conducting the internal audit
At this stage, you should have all your documents in order and the internal audit can commence. The auditor or auditing team will go through each of your documents, highlighting the controls and measures you have in place to ensure they align with the ISO 27001 Standard. This is the crucial part in the auditing process, and will define if your measures meet the requirements for the certification. If not, then the auditor will outline the work that is needed to help you get over the line.
Step 4: Writing the internal audit report
Your chosen internal auditor will then write up the findings of the report. Contained within the report should be the findings of the report, details of any non-conformities and any required adjustments.
Here’s a rundown of the key areas that an ISO 27001 internal audit report should contain:
- The scope of the audit
- The objectives of the ISMS
- Any timelines and assessments
- A synopsis of who should review the final written report and whether the information should be classified.
- A detailed written analysis of all the findings of the audit.
- Any recommendations and corrective actions.
- A written statement that outlines any limitations affecting the scope of the audit.
Step 5: Presenting your written audit report
The final step is to present the report to the delegated management team within your company. The discussion should touch upon any areas for improvement and determine whether your business is now ready to obtain certification for ISO 27001.
Write your ISO 27001 report with our assistance
So, we’ve covered all areas of the ISO 27001 internal audit, it’s time to tell you about Citation ISO Certification and the support we offer. Although we can’t carry out the internal audit for you, we can guide you through every step with expert tutelage and support.
Then, you can gain ISO 27001 certification through our quick and easy three-step certification process.
Discover more about our ISO 27001 costs and start strengthening information security for your business right away. We’ve helped countless businesses over the years and we’re here to do the same for you. Get in touch at 0333 344 3646 or email us at isosales@citation.co.uk. For more information, why not check our ISO 27001 guide?