A question often asked by people that are new to information security is “how do I complete an internal audit of my ISMS?”.
Given the frequency of the subject coming up, we built the answer into our Virtual Coach service for ISO 27001. We also thought it would be useful to share some of our guidance and ideas on how you can take a pragmatic business-led approach to achieve the goal.
What is the purpose of the Internal audit for ISO 27001?
The goal of the internal audit in section 9 of the management requirements for ISO 27001:2013 is performance evaluation. 9.2 says the
1) conforms to
1.2) the requirements of this International Standard;
2) is effectively implemented and maintained
3) plan, implement and maintain an audit programme
4) define the audit criteria and scope for each audit
5) select auditors who will be objective and impartial
6) ensure that audits are reported to relevant management
7) retain documented information as evidence
In summary, the internal audit is one of the initiatives that demonstrates your ISMS can be trusted and is performing as expected.
The ISO 27001 standard is encouraging you to run the ISMS to meet your business objectives, scope, internal and external issues, etc. As such you also want to ensure that internal audits are conducted in the style that reflects your business and its risks, whilst considering the culture and resources you have in place.
Where and what should you audit in your Information Security Management System?
To make it real, your audit programme and philosophy should be derived from the issues, the scope, eg locations, depts, processes, products etc, along with considering the Statement of Applicability, risks and so on, not just a tick box exercise. However, you will have to demonstrate that you have audited against the entire standard – management requirements and Annex A controls – at least once during the 3-year ISO 27001 certification cycle, and that you can provide sample evidence of controls working to your requirements.
We’ve built on that approach in the standard audit programme in ISMS.online to help ensure that audits represent what the business needs. In our view, audits must be business-led and ‘real’ for people to buy into it as a valid investment and to make the audit meaningful.
How to audit at 3 pragmatic and simple levels
Level 1 – Review of policies in line with A.5.1.2 and A.8.1.2 for independent reviews
This level is a simple review of how you ‘describe’ your policies and controls, and ensure they remain relevant for the
This is clearly not internal auditing for Sect. 9.2 in itself, but is an important part of your ISMS management along with other aspects like management reviews, incident tracking etc. and will help to ensure that when you come to conduct your formal internal audit you are doing so against a solid set of policies and controls that are appropriate for your
Level 2 – internal audit plan covering the requirements and controls
This is the required, more traditional approach and will need to be carried out over the course of the certification cycle at a minimum and it may be worth considering covering this annually.
Our audit project can be used to set the objectives and scope of each audit and record your findings. Any non-conformances that are identified can then be addressed in the Improvement Track.
Level 3 – a holistic approach to demonstrating the effectiveness
We also encourage a more holistic approach to internal audits and have built a programme in the platform that focuses an audit around ‘demonstrating’ a specific part of your ISMS scope is compliant, e.g. a department, a location, a product, system or a process.
This gives you the opportunity to look at how the business works in practice, beyond InfoSec per se, and see opportunities for improvement or, indeed, uncover risks that might not be easily seen from looking through a control lens.
This also enables an
In our ISO 27001 Virtual Coach, we include an example to give a
How to plan for the ISO 27001 audit programme
It’s not easy to develop an audit plan 3 years in advance for the whole certification period if you are a fast-changing organisation. If this is the case, you should consider those scope areas that need to be audited and create a 12-month plan to meet the expectations of an external auditor.
Then be clear that you will be conducting management reviews in line with Sect. 9.3 that might bring about change to that schedule. That is part of what 9.3 is about – being proactive and also reacting to new information affecting the ISMS.
If you decide to change the audit schedule, for example, because of a trigger event justifying it, simply move the audit schedule around and add a note into your relevant management review to justify why you made the changes.
Whichever audit approach you choose to adopt, be prepared to justify, demonstrate and defend its effectiveness to an external auditor.
How much detail should you include in an ISO 27001 audit exercise?
When deciding how deep you should go with your audit exercise, consider this – Do you have enough information to be able to demonstrate you have done the audit, learned from the exercise, documented it and taken any subsequent actions?
From our own cultural perspective, this is also about being pithy, paperless and digital, and is focused on ensuring we get the job done well – celebrate success, learn and improve, and reduce risk without getting mired in bureaucracy or form filling for the sake of it.
Everyone we talked to (before building ISMS.online) had their own way of auditing. We’ve seen some very lengthy audit reports which are rarely read by the right audience, who in reality just want a summary. So, for us it’s about evidencing, learning, taking action and moving any improvements into practice, in accordance with the severity of the threat or value of the opportunity in relation to the other business priorities.
In ISMS.online, you can do that in the audit activity itself or link the improvement work to our Corrective Actions and improvements track for aligning with all Corrective Actions and improvements, not just those coming from an audit.
What does the ISO say about audits and auditing for ISO 27001?
In addition to the requirements in ISO 27001 9.2, the International Organisation for Standardisation (ISO) provides the following standards relevant to auditing:
- ISO 27007 – Provides guidance on how to audit the management system (requirements) elements of your ISMS and draws heavily from ISO 19011 (see below) with the added lens of specifics relating to auditing an ISMS.
- ISO TR 27008 – A technical report (rather than standard) which provides guidance on auditing the information security controls managed by your ISMS.
- ISO 19011 – provides guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits, as well as guidance on the evaluation of the competence of individuals involved in the audit process, including the person managing the audit programme, auditors and audit teams.
- ISO 27006 & ISO 17021 – These are for the certification bodies conducting the external audits. Whilst they can provide a useful reference to understand what the certification bodies are looking for, your internal audit will be very different, with a different purpose and you should not be looking to audit in exactly the same way.
A consistent theme we hear about is that auditors want to see that the organisation is living and breathing the ISMS and that includes leadership involvement, proactive showing of things you have in ISMS.online and being able to very quickly answer their specific questions with evidence.
Having a structure that follows the ISO 27001: 2013 methods and labelling, as in ISMS.online, also makes it easy for auditors to follow in their own ‘language’, and they can see version changes, timestamped work, collaborations, approvals by independent team members etc, so it’s a great aid to the set of tests above.
Obviously, you will still need to demonstrate that policies are lived in practice outside of ISMS.online e.g. information is backed up from your systems, customer and supplier confidentiality agreements are held etc (and of course you can use ISMS.online to show the supplier agreements too!)
Should you take a lead auditor course to help with ISO 27001?
If you are thinking about undertaking a lead auditor course it is worth considering that, when you get trained by someone whose full-time job is auditing, they are focusing on training to audit from an external perspective. This may be beyond your organisation’s requirements for complying with 9.2 and potentially cause you to lose sight of what the broader business objectives are.
You need to be able to audit well enough to demonstrate to your leadership and your interested parties (e.g. auditors) that the 9.2 internal audit is effective as part of your performance evaluation and works in practice.
In ISMS.online we have proposed a process for auditing in Sect. 9.2, and given the space to deliver it that is easy enough to adopt or adapt to your style and needs, and with internal resource constraints in mind. We’ve also included a pragmatic example in the ISO 27001 Virtual Coach.
However, many customers define their approach easily using ISMS.online and then get a simple virtual health-check along with advice, and even pragmatic ongoing audit support, with our qualified Lead Auditor.