- Internal audits are a key component of ISO 27001 compliance, as they help identify issues within the Information Security Management System (ISMS) and lay the foundation for external audits
- The audit process involves defining the scope of the audit, collecting and documenting evidence, and creating an audit report which is then presented to management
- Internal audits evaluate ISO 27001 compliance by reviewing internal policies, procedures, and implemented controls, as well as identifying non-conformities and areas for improvement
- Tools and solutions like Kertos simplify the audit process by automating tasks and optimizing evidence collection, saving time and minimizing errors
Internal audits according to ISO 27001: Why they are the key to successful certification
On the road to compliance with ISO 27001, organisations undergo two types of audits: internal and external audits. Internal audit is the foundation on which top management in an organisation makes informed decisions regarding their readiness for external audit.
Simply put, an internal audit is the key source of information for the management review. It enables you to discover problems with your management system. These issues stay in plain sight but unnoticed until internal audits are conducted to identify non-conformities with the ISO 27001 standard. Once issues are resolved, organisations can apply for certification audits.
Despite this critical interdependence, many organisations see internal audits as a task that sooner it is dealt with, the better. As a result, their hurried efforts often pivot the result and unnecessarily delay the compliance process. Even if the audit is not done with certification as an objective, it significantly improves the security management and fosters an internal assurance of "claimed compliance" to the standard.
This article guides you through vetted steps that you can take to ensure guaranteed compliance. We understand that it's not everybody's cup of tea to grasp the intricacies of the standard, and therefore, we recommend talking to our experts for further assistance.
What is an ISO 27001 internal audit?
Internal audits are an opportunity for organisations to self-inspect how well their information security management systems (ISMS) are performing. An ISO 27001 internal audit enables organisations to identify and assess areas of concern and recommend necessary corrective actions to track their compliance with the standard.
If left unchecked, these issues may potentially expand into undermining the security of management systems, leading to operational disruptions or loss of stakeholders' trust. ISO 27001 Clause 9.2 requires a consistent audit program to maintain compliance. Of the PDCA (Plan-Do-Check-Act) cycle in the standard, internal audit is part of the "Check" phase.
An internal audit is conducted to assess the management system's performance against twofold criteria: firstly, the organisation's own policies and procedures; secondly, the standard's (ISO 27001) requirements, including mandatory clauses from 4 to 10 and Annex A controls.
These requirements vary across organisations, depending on their business objectives, risk assessments, industry-specific best practices, resource availability, and outcomes of previous audits. Requirements include structural and procedural aspects, elaborated below for a clear understanding.
Structural aspects include:
- A visible sense of commitment from management to support the ISMS,
- Defining the scope of the ISMS
- Planning a suitable framework that integrates seamlessly with the organisational hierarchy, goals, communication channels, etc.
Procedural aspects include:
- Establishment of policies and procedures as overarching principles and step-by-step instructions to guide organisations into consistent decision-making, ensuring alignment with organisational goals, legal requirements, and industry-best practices.
- Risk assessment to identify gaps in organisation of the ISMS, control implementation, and the management system's alignment with the ISO requirements; risk treatment to manage the identified gaps by choosing suitable requirements.
Unlike a certification review, an organisation's own staff conducts an internal audit. Organisations should ensure that internal auditors don't have decision-making powers. Such individuals can influence the audit's outcomes, which could create a conflict of interest. In lack of suitable resources, an external consultant is suggested. Even though an external party completes the internal audit, it is considered internal.
The internal audit process
Step 1: Define the scope of your internal audit
An audit plan establishes which information systems and assets need to be part of the assessment. It could range from processes (e.g., changes to IT systems), functions (e.g., data backup recovery), and departments (e.g., HR) to physical locations (e.g., a data centre in Frankfurt) and systems (e.g., CRM). The responsible individual, team, or external consultant determines which requirements and controls of the standard, as well as the organisation's own documented policies and procedures, will apply to the audit.
Step 2: Evidence collection and documentation
This step is about the collection and maintenance of all evidence during the audit that demonstrates effective implementation and ongoing maintenance of the ISMS. At the time of the ISO 27001 stage 1 review, external auditors look for documented evidence, along with their timeline, to verify compliance with the standard.
Internal auditors should prioritise documenting the audit process with completeness and accuracy in mind. Among others, comprehensive documentation comprises policies and procedures for information security, risk assessment and treatment plans, statements of applicability, controls implemented (logs and records), corrective actions, and follow-up records.
Gathering evidence, however, can be complicated. Common challenges include the inability of controls to generate evidence in an acceptable format or properly segregated for easy traceability. Such intricacies may lead to auditors having a hard time gathering and organising the required evidence. When external auditors find certain evidence is missing, it can lead to a lot of needless back and forth. To tackle such uncertainties, the use of an automated ISO 27001 evidence collection process is suggested.
Step 3: Create the internal audit report
The auditor's conduct of audit involves reviewing documentation and controls, observing operational procedures in action, and conducting interviews with control owners. Through this audit fieldwork or evidence gathering, the auditor identifies any gaps in the organisation's ability to meet its objectives and align with the requirements of ISO 27001, ensuring they are closed before the certification audit. Based on their findings, including any non-conformities and action items, the auditor creates an internal audit report.
Step 4: Management review
The auditor presents the audit report to management and interested stakeholders. The findings indicate any major non-conformity identified during the audit, as well as any observations and areas for improvement. Management evaluates the effectiveness and suitability of the ISMS. Based on their evaluation, they strategise decisions about the organisation's readiness to undergo the certification audit.
Streamline your internal audit with Kertos
Internal audits play a significant role in identifying and addressing issues with your ISMS. Kertos has proficiency in helping with all the intricacies and steps involved in an ISO 27001 internal audit. Our consultant collaborates closely with you to create an internal audit plan that eases your compliance with all ISO standards. Our compliance software is designed to save time, reduce the risk of errors, and enable an efficient internal audit. Schedule a call today for a demo.
