Safely move on from COVID-19

How to write an internal audit report for ISO 27001

As part of the management system requirements, Clause 9.2 details what must be done regarding internal audits. This includes a requirement for retaining documented evidence of the audit results, and this is done by way of an audit report.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that:

  • The requirements of the standard are met,
  • The organisation’s own information requirements and objectives for the ISMS are met,
  • The policies, processes, and other controls are effective and efficient.

In addition to the overall compliance and effectiveness of the ISMS, as ISO 27001 is designed to enable an organisation to manage it’s information security risks to a tolerable level, it will be necessary to check that the implemented controls do indeed reduce risk to a point where the risk owner(s) are happy to tolerate the residual risk.

 

Internal Audit For ISO 27001 Requirement 9.2

Clause 9.2 Internal audit mandates:

“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to

  1. the organization’s own requirements for its information security management system; and
  2. the requirements of this International Standard;

b) is effectively implemented and maintained.

The organization shall:

c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit programme(s) and the audit results.”

Everyone we helped go for an ISO 27001 audit passed first time. You could too.
fa-bolt

How do ISO 27001 internal audits work?

Internal audits for ISO 27001 work by following an audit programme that identifies the audits to be carried out before certification and during each certification period.

They require the selection of a competent and objective auditor to undertake each internal audit verifying compliance with the requirements of the standard, the organisation’s own information requirements and objectives for the ISMS, and that the policies, processes, and other controls are effective and efficient.

Activities included within an internal audit:

  • Documentation review
  • Evidential sampling
  • Interviewing staff with key information security responsibilities
  • Interviewing other staff (and possibly contractors)
  • Assessing the findings
  • Writing the audit report.

How often do I need to conduct an audit?

Whilst it is not clear within ISO 27001 itself as to how often you must perform internal audits. It is expected that the audit programme follows the same requirements as those placed upon the certification bodies for conducting their audits following ISO/IEC 27006:2015 – Requirements for bodies providing audit and certification of ISMSs.

Within ISO 27006 requirement 9.1.5.2 e, states that the audit programme “covers representative samples of the scope of the ISMS certification within the three year period.”

Therefore, you need to conduct internal audits covering the entire standard, at minimum, over the certification period (3 years for UKAS accredited certificates).

You could do this as a single audit, but it is more commonly broken down into smaller audits over the 3-year period.

It is also important to audit some areas more frequently if the risk levels are high or the area is subject to frequent changes.

It’s recommended that you audit the management system requirements (Clauses 4-10) annually. This can be tied into your ISMS management review, which also has to be conducted annually.

Within ISMS.online, we provide a pre-built Audit Programme work area which includes:

  • Activities for 2 recommended audits before certification
  • A plan of internal audits for the first 3-year certification period
  • Placeholders for your external certification and periodic audits

Why do I need to create a report for an internal audit?

The standard requires you to document the audit results – Clause 9.2 of ISO 27001 includes the requirement to “retain documented information as evidence of the ……… audit results”. This is done within an Audit Report.

 

What needs to be done when preparing the report?

Obviously, before you can document the audit report, you have to plan and carry out the audit. You can then document the findings in the report.

Get started with your ISO 27001 audit plan

For each audit, you will need to plan:

  • What the audit is going to cover – which section(s) of the standard, locations, business processes etc
  • Who the auditor will be – must be competent and objective.
  • When the audit is conducted, it must not have a significant, adverse impact on the organisation’s operation.
  • The method(s) of audit – documentation review, sampling, interviews etc
  • Who will need to be involved in the audit?

Documentation review

Every audit will require the review of relevant documentation, including policies, procedures, standards, and guidance relevant to the area(s) of the standard being audited. It is good practice to advise those being audited of the areas to be covered to ensure easy and timely access to the relevant documentation.

In ISMS.online, this is made easy by either having the documentation within the system or linking it within the standard’s relevant section.

Evidential sampling & interviews

Most audits will require the sampling of evidence to a lesser or greater degree. This may include interviewing relevant key staff, end users, and sometimes even temporary staff and contractors.

Sources for sampling may include, for example:

  • Interviews with employees and other persons
  • Observations of activities and the surrounding work environment and conditions
  • Documents, such as policies, objectives, plans, procedures, standards, instructions, licenses and permits, specifications, drawings, contracts and orders
  • Records, such as inspection records, minutes of meetings, audit reports, records of the monitoring programme and the results of measurements
  • Data summaries, analyses, and performance indicators
  • Information on the auditee’s sampling plans and the procedures for the control of sampling and measurement processes
  • Reports from other sources, e.g. customer feedback, external surveys and measurements, additional relevant information from external parties and supplier ratings
  • Databases and websites
  • Simulation and modelling
Achieve ISO 27001 first time

Analysis

Once the data gathering for the audit has been done, it will be necessary for the auditor to assess and analyse the findings to determine any nonconformities or opportunities for improvement.

Findings are normally categorised as one of the following:

  • Major nonconformity
  • Minor nonconformity
  • Opportunity for improvement

Some certification bodies also use:

  • Observation – where there are early indications a minor nonconformity may exist or may develop if no action is taken.
  • Positive point – awarded either where an organisation has gone beyond recognised good practice or where there has been significant improvement in an area since the previous audit.

 

Report

Having analysed the findings, the audit report can now be prepared and presented to the person or team responsible for the ISMS for review and follow-up.

How is an internal audit report prepared?

The audit report must be prepared as documented information, but this doesn’t mean it has to be a separate Word or PDF document. Within the ISMS.online platform, we try to encourage the avoidance of creating such documents but instead provide a work area in which the report can be directly documented. This area offers additional functionality including the ability to easily link to other work areas, policies, controls, risks, corrective action and improvement “tickets”, and more.

 

Create an executive summary

The executive summary is useful so that senior management can quickly and easily see an overview of the findings, including any possible critical issues, trends, and opportunities for improvement. This can then be easily linked to the ISMS management review following Clause 9.3

This will usually include:

A general overview of the operation of the areas of the ISMS covered in the audit
A numerical summary of the categories of findings.
The highlighting of any urgent/critical findings.
A brief description of the next steps to be taken to address any findings.

Introduce terminology used

To ensure a common understanding of the report’s findings, it is necessary to include the definitions of some terminology used that is either specific to the organisation, the audit process, or the standard. Remember, not all who may need to read, assess and understand the report, will necessarily understand all of the terminology used.

 

Describe the Audit Plan

This will include:

  • The scope of the audit – area(s) to be covered, locations, staff, business processes etc
  • The name of the auditor(s)
  • The dates, times and locations of the audit

Describe facts found

For each section of the audit, you should document the findings, including notes of any evidential samples taken.*

It is good practice to record compliance and positive points and document any nonconformities or opportunities for improvement.

The findings should record the facts found relevant to the ISMS and the standard and should not include opinion or conjecture beyond reasonable extrapolation.

*Note – if evidential samples contain personally identifiable information, it is usual practice to pseudonymise or anonymise the data in line with privacy legislation requirements such as GDPR.

 

Document nonconformities and opportunities for improvement

Where nonconformities and opportunities for improvement are identified, these must be clearly documented so that corrective actions and improvement items can be recorded and managed through the organisation’s recognised processes as documented in accordance with Clause 10.1 Nonconformity and corrective action; and 10.2 Continual improvements.

 

Describe recommendations

As this is an internal audit report, it is allowable for an auditor to make recommendations about how an organisation might address findings. Ultimately the decisions relating to corrective actions and improvements must be made by the relevant individuals or teams responsible for the ISMS and information security.

We’re cost-effective and quick. That’ll boost your ROI.

How ISMS.online makes reporting easy

The ISMS.online platform dispenses with the need for creating Word documents, PDFs and spreadsheets by providing an all-in-one-place solution for easily documenting and linking all aspects of the ISMS, including the documentation of audit reports.

ISMS.online includes a pre-built audit programme project that covers both internal and external audits.

The pre-built audit programme includes:

  • Activities for 2 recommended audits before certification
  • A plan of internal audits for the first 3-year certification period
  • Placeholders for your external certification and periodic audits

Each internal audit activity contains a template for a combined audit plan and report.

Prior to conducting the audit, the template acts as the audit plan – including which areas are to be audited and providing prompts for recording when the audit will be conducted and by whom.

During or after conducting the audit, the auditor can write notes directly into the templated audit activity.

As well as simply providing the audit activity templates, ISMS.online provides the ability to quickly link to other work areas within the platform which means that linking audit findings to controls, corrective actions and improvements, and even to risks is made easy and accessible. This will enable you to easily demonstrate to your external auditor the joined-up management of identified findings.

 

Need help with your ISO 27001 audit?

Contact us, and we can provide support.