Control A15.2 of ISO 27001 requires that, as part of an information security management system (ISMS), “managers within an organisation ensure that security policies are followed”.
This sounds very sensible – but how do you know that managers are actually enforcing your ISMS security policies?
The answer is regular ISMS internal audits, and it usually falls to the information security manager or ISO 27001 project leader to develop an effective internal audit plan.
Here are five practical tips to consider when planning your internal audits.
1.Talk to HR to ensure that information security is included in all managerial job responsibilities.
This is relatively easy. Adding a responsibility to a job description provides the impetus for managers to ensure security policies are followed.
2. Encourage one or two volunteers from each department to join your internal audit team.
Getting involved in internal ISMS audits is a great opportunity for staff. As well as developing valuable audit skills, they will also gain an insight into other areas of the organisation and interact with staff at all levels – perfect for professional development.
3. Develop the skills of your internal audit team to ensure they are prepared for the job.
Audit skills development could be led by you, or you might consider external ISMS auditor training for key staff. Whichever option you select, the team must have the skills to deliver a consistent approach to auditing in order to get the best results.
Free PDF download: Information Security & ISO 27001: An Introduction
4. Plan your audit schedule at least 12 months in advance.
This will ensure you have cover for staff holidays or absences before your audits. If you have an internal quality department it’s wise to co-ordinate the timing of your internal audits with them to minimise disruption.
5. Create a clear process for documenting findings.
Any non-conformances picked up by your internal audit team need to be documented correctly. This involves recording the issue, developing an action plan and agreeing a deadline for addressing the issue.
A clear documentation process will make your role of checking and monitoring issues much quicker and easier. It will also help you to identify trends or patterns that can point to larger threats.
Finally, if you seek formal ISO 27001 certification and undergo an external ISMS audit – this documentation will be crucial in demonstrating the effectiveness of your internal audit process.
Find out more
Our ISO27001 Certified ISMS Lead Auditor Training Course, is suitable for anyone responsible for conducting internal audits. If you can’t make our classroom course, our Live Online masterclass lets you learn from the comfort of your own home.