When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
When considering certification to the ISO 27001 information security standard, much of the attention is on the certification audit itself. That’s when the “magic” happens, and your organization finally becomes certified. But there’s something that is done earlier in the process that is a requirement of the standard and can smooth the path to that certificate if it’s done correctly, and that’s the internal audit. Here we look at ten steps to a successful ISO 27001 internal audit.
One of the (many) items on your list at the start of your ISO 27001 implementation is to identify a suitable person (or persons) to act as your internal auditor. The standard sets out that this person needs to be independent of the areas being audited and be competent to carry out the audit. This could be via appropriate training, qualifications or experience. Some organizations find someone internally and train them up; some go to an outside resource for these skills. Ideally, we’re talking about someone with the ISO 27001 Lead Auditor or ISO 27001 Internal Auditor qualification with a bit of experience in carrying out audits.
Once the right person is found, they need to create a documented audit programme that sets out the areas of the standard that will be audited and when. Most certification bodies prefer that all of your ISMS has been subject to internal audit before you go for certification, but after that it’s ok to spread the audits out over a three-year cycle so that all of the management system and the applicable Annex A controls are covered over that time period (although some would say that’s too long). Once your programme is decided, the first audit can be scheduled.
When the time comes to carry out a specific audit, it helps to create a plan so that everyone involved knows what will happen when. This should cover details such as:
The plan should be made available to everyone involved.
Once pleasantries have been exchanged, the audit will start with an opening meeting. This should confirm the audit plan and that everything is still as agreed. Some background to the situation within the organization would typically then be discussed, with particular emphasis on significant changes since the last audit. The date of the next certification audit would also be established. Any nonconformities raised at the last internal and external audits are reviewed and their status established (ideally all closed).
The audit proper will then begin. As standard practice, this is basically a “show and tell” exercise where the internal auditor goes through each of the clauses from the ISO 27001 standard that are in scope for this audit and asks for evidence that they are being carried out. This may consist of documented information, or could be via demonstration of records in a system perhaps. Details of the responses and the evidence provided (such as version number and date) are recorded in the draft report as the audit progresses. It’s important to keep an eye on the time during the audit to ensure that all of the areas in scope can be covered.
Sometimes the explanation of how the requirements of a clause of the standard (or of an Annex A control) are met doesn’t meet the need and the auditor feels that the standard is not being followed. In this case, the auditor will raise a nonconformity against the requirements of a specific part of the standard. Such nonconformities may be minor or major in degree. A minor nonconformity is usually expected to be corrected by the next audit, and this is by far the most common type. A major nonconformity would be raised if a significant part of the standard was not being complied with, such as a lack of risk assessment, or management review, and this would be expected to be addressed much more urgently.
Often the auditor will conclude that the issue identified is not serious enough to warrant a nonconformity to be raised. In this case, an observation (sometimes called an opportunity for improvement) can be documented. These are more akin to suggestions and as such are optional for the auditee to implement. Usually they are based on approaches that the auditor has seen work well elsewhere and may help with the efficiency of the ISMS.
There should be no surprises at the closing meeting, as the auditor will have mentioned all of the nonconformities and observations as they were identified. But this is the time to summarise the findings of the audit, answer any remaining questions and confirm the timing of the production of the audit report. The audit programme going forward may also be discussed.
The majority of the audit report will already have been written as the audit has progressed, but there will often be a need for some summarisation and tidying up of the results. This may either be done onsite immediately after the audit has concluded or could be completed elsewhere over the next few days, depending on time available. The report is then submitted to the auditee and if appropriate, copied to top management.
In some cases, there will be a need to follow up on progress against the nonconformities identified during the audit, and this may involve a separate meeting. This will depend on how serious or urgent the issues are. The external auditor will usually review internal audit reports, and any feedback should be returned to the internal auditor, along with actions required.
So there you have our ten steps for a successful ISO 27001 internal audit. Done well, internal auditing is a valuable tool for ensuring that an ISMS stays fresh and useful and avoiding any surprises at the external (certification or surveillance) audits. It’s worth investing the time and resources to ensure that your internal auditing programme works well for you.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.