What is covered under ISO 27001 Clause 9.2?
Clause 9 of the management requirements for ISO 27001:2013 is performance evaluation. 9.2 says the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
- Conforms to the organisation’s own requirements for its information security management system; and meets the requirements of the ISO 27001 international standard;
- Whether the ISMS is effectively implemented and maintained
To achieve those goals the ISO auditor will look to see that the organisation has:
- Planned, implemented and maintained an audit programme
- Defined the audit criteria and scope for each audit
- Selected auditors who will be objective and impartial
- Ensured that audits are reported to relevant management
- Retained documented information as evidence
How to conduct internal audits on an information security management system to comply with ISO 27001 9.2
Alongside information security risk management, internal audits are popular in creating anxiety for those new to ISMS’ and in particular organisations that are going for their first ISO 27001 certification. As such we have written a separate article on demystifying the internal audit requirements and expressing how an organisation can achieve it’s internal audit goals with much less stress and anxiety than first thought.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement