How to write an internal audit report for ISO 27001

An internal audit report structure for ISO 27001 is something you need to know.

Creating an effective and professional internal audit report is essential for any successful ISO 27001 implementation.

A good quality internal audit report is a snapshot of the overall implementation process and records the status of your ISO 27001 implementation in the certification lead up, along with details of areas that still need addressing.

As part of the management system requirements, Clause 9.2 details what must be done regarding internal audits. This includes a requirement for retaining documented evidence of the entire audit process and the audit results, and this is done by way of an audit report.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that it meets the requirements of the standard, the organisation’s own information requirements and objectives for the ISMS and that the policies, processes, and other controls are effective and efficient.

In addition to the overall compliance and effectiveness of the ISMS, as ISO 27001 is designed to enable an organisation to manage its information security risks to a tolerable level, it will be necessary to check that the implemented controls do indeed reduce risk to a point where the risk owner(s) are happy to tolerate the residual risk.

Internal audit for ISO 27001 requirement 9.2

Clause 9.2 internal audit mandates:

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

• Conforms to the organisation’s own requirements for its information security management system and the requirements of this international standard.
• Is effectively implemented and maintained.

The organisation shall:

• Plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits.
• Define the audit criteria and scope for each audit.
• Select auditors and conduct audits that ensure objectivity and the impartiality of the audit process.
• Ensure that the results of the audits are reported to relevant management and retain documented information as evidence of the audit programme(s) and the audit results.

The goal of an internal audit is to confirm that the organisation has taken all reasonable precautions to guarantee that its information security management system (ISMS) complies with the standards of ISO 27001 and the organisation’s own ISMS standards.

Internal audits must be done by an independent and unbiased auditor to accomplish this, according to the Standard.

How do ISO 27001 internal audits work?

Internal audits for ISO 27001 work by following an audit programme that identifies the audits to be carried out prior to certification and during each certification period.

They require the selection of a competent and objective auditor to undertake each internal audit verifying compliance with the requirements of the standard, the organisation’s own information requirements and objectives for the ISMS, and that the policies, processes, and other controls are effective and efficient.

Activities included within the an internal audit:

• Documentation review
• Evidential sampling
• Interviewing staff with key information security responsibilities
• Interviewing other staff (and possibly contractors)
• Assessing the findings
• Writing the audit report

How often do I need to conduct an audit

Whilst it is not clear within ISO 27001 itself as to how often internal audits must be performed, it is expected that the audit programme follows the same requirements as those placed upon the certification bodies for conducting their audits in accordance with ISO/IEC 27006:2015 – Requirements for bodies providing audit and certification of ISMSs.

Within ISO 27006 requirement 9.1.5.2e states that the audit programme “covers representative samples of the scope of the ISMS certification within the three year period.”

Therefore, you need to conduct internal audits that cover the entire standard, at minimum, over the certification period (3 years for UKAS accredited certificates).

You could do this as a single audit, but it is more commonly broken down into smaller audits over the 3-year period. It is also important to audit some areas more frequently if the risk levels are high or the area is subject to frequent changes.

It is recommended that you audit the management system requirements (Clauses 4-10) on an annual basis and this can be tied into your ISMS management review which also has to be conducted annually. Certain organisations with sophisticated and well-established management systems may want to arrange audits on a three-year cycle rather than yearly.

However, every business must carefully examine its processes, management systems, and other pertinent criteria in order to develop a sensible timetable that meets their demands and is appropriate for them. At ISMS.online, our cloud-based platform is designed to assist with the audit process.

We provide a pre-built Audit Programme work area which includes:

• Activities for 2 recommended audits prior to certification
• A plan of internal audits for the first 3-year certification period
• Placeholders for your external certification and periodic audits

Request a demo today to see how our solution can help your organisation demonstrate compliance with ISO 27001.

Why do I need to create a report for an internal audit?

The standard requires you to document the audit results – Clause 9.2 of ISO 27001 includes the requirement to “retain documented information as evidence of the ……… audit results”. This is done within an Audit Report.

What needs to be done when preparing the report

For each audit, you will need to plan:

• What the audit is going to cover – which section(s) of the standard, locations, business processes etc
• Who the auditor will be – must be competent and objective.
• When the audit will be conducted – must not have a significant, adverse impact on the operation of the organisation.
• The method(s) of audit – documentation review, sampling, interviews etc
• Who will need to be involved in the audit?

Documentation review

Every audit will require the review of relevant documentation including policies, procedures, standards, and guidance relevant to the area(s) of the standard being audited. It is good practice to advise those being audited of the areas to be covered so that they can ensure easy and timely access to the relevant documentation

In ISMS.online, this is made easy by either having the documentation within the system or linking to it within the relevant section of the standard.

Evidential sampling & interviews

Most audits will require the sampling of evidence to a lesser or greater degree and this may include interviewing relevant key staff, end-users, and sometimes even temporary staff and contractors.

Sources for sampling may include, for example:

• Interviews with employees and other persons.
• Observations of activities and the surrounding work environment and conditions.</p?
• Documents, such as policies, objectives, plans, procedures, standards, instructions, licenses and permits, specifications, drawings, contracts and orders.
• Records, such as inspection records, minutes of meetings, audit reports, records of monitoring programme and the results of measurements.
• Data summaries, analyses, and performance indicators.
• Information on the auditee’s sampling plans and on the procedures for the control of sampling and measurement processes.
• Reports from other sources, e.g. customer feedback, external surveys and measurements, other relevant information from external parties and supplier ratings.
• Databases and websites.
• Simulation and modelling.

Analysis

Once the data gathering for the audit has been done, it will be necessary for the auditor to assess and analyse the findings to determine if there are any nonconformities or opportunities for improvement.

Findings are normally categorised as one of the following:

• Major nonconformity
• Minor nonconformity
• Opportunity for improvement

Some certification bodies also use:

• Observation – which is where there are early indications a minor nonconformity may exist or may develop if no action is taken.
• Positive point – awarded either where an organisation has gone beyond recognised good practice or where there has been significant improvement in an area since the previous audit.

Report

Having analysed the findings, the audit report can now be prepared and presented to the person or team responsible for the ISMS for review and follow-up.

How is an internal audit report prepared?

The audit report must be prepared as documented information, but this doesn’t mean it has to be a separate Word or PDF document. Within the ISMS.online platform we try to encourage the avoidance of creating such documents, but instead provide a work area in which the report can be directly documented and this area provides additional functionality including the ability to easily link to other work areas, policies, controls, risks, corrective action and improvement “tickets”, and more.

Create an executive summary

The executive summary is useful so that senior management can quickly and easily see an overview of the findings including any possible critical issues, trends, and opportunities for improvement. This can then be easily linked into the ISMS management review in accordance with Clause 9.3.

This will usually include:

• A general overview of the operation of the areas of the ISMS covered in the audit.
• A numerical summary of the categories of findings.
• The highlighting of any urgent/critical findings.
• A brief description of the next steps to be taken to address any findings.

Introduce terminology used

To ensure that there is a common understanding of the findings of the report, it is necessary to include the definitions of some terminology used that is either specific to the organisation, the audit process, or the standard. Remember, not all who may need to read, assess and understand the report, will necessarily understand all of the terminology used.

Describe audit plan

This will include:

• The scope of the audit – area(s) to be covered, locations, staff, business processes etc.
• The name of the auditor(s)
• The dates, times and locations of the audit

Describe facts found

For each section of the audit, the findings should be documented including notes of any evidential samples taken.*

It is good practice to record compliance and positive points as well as documenting any nonconformities or opportunities for improvement. The findings should record the facts found relevant to the ISMS and the standard and should not include opinion or conjecture beyond reasonable extrapolation.

 

*Note – if evidential samples contain personally identifiable information, it is usual practice to pseudonymise or anonymise the data in line with the requirements of privacy legislation such as GDPR.

 

Document noncomformities and opportunities for improvement

Where nonconformities and opportunities for improvement are identified, these must be clearly documented so that corrective actions and improvement items can be recorded and managed through the organisation’s recognised processes as documented in accordance with Clause 10.1 Nonconformity and corrective action; and 10.2 Continual improvement.

Describe recommendations

As this is an internal audit report, it is allowable for an auditor to make recommendations about how findings might be addressed, but ultimately the decisions relating to corrective actions and improvements must be made by the relevant individuals or teams responsible for the ISMS and information security.

How ISMS.online makes reporting easy

The ISMS.online platform dispenses with the need for creating Word documents, PDFs and spreadsheets by providing an all-in-one-place solution for easily documenting and linking all aspects of the ISMS including the documentation of audit reports.

ISMS.online includes a pre-built audit programme project that covers both internal and external audits.

The pre-built audit programme includes:

• Activities for 2 recommended audits prior to certification
• A plan of internal audits for the first 3-year certification period
• Placeholders for your external certification and periodic audits

Each internal audit activity contains a template for a combined audit plan and report.

Prior to the audit being conducted, the template acts as the audit plan – including which areas are to be audited and providing prompts for recording when the audit will be conducted and by whom.

During or after the conducting of the audit, the auditor can write notes directly into the templated audit activity.

As well as simply providing the audit activity templates, ISMS.online provides the ability to quickly link to other work areas within the platform which means that linking audit findings to controls, corrective actions and improvements, and even to risks is made easy and accessible. This will enable you to easily demonstrate to your external auditor the joined-up management of identified findings.

Need help with your ISO 27001 audit?

Are you starting an ISO 27001 audit soon and feel stressed about it? It’s natural to feel this way, as undertaking an ISO 27001 audit is a very serious step.

The experts here at ISMS.online can offer you the best possible service. We can support your management system audit and report, give you advice regarding information security and risk mitigation strategies, deliver training your staff or help you with a gap analysis of your existing controls.

Request a demo today.