Internal audits are an essential part of ISO 27001 compliance, so it’s important that you know what you’re doing.
Fortunately, this blogs explains the five steps you need to follow to ensure that your internal audit is a success.
1. Scoping and pre-audit survey
You must conduct a risk-based assessment to determine the focus of the audit, and to identify which areas are out of scope.
Information sources could include industry research, previous ISMS (information security management system) reports or other documents, such as the ISMS policy.
Make sure that the audit’s scope is relevant in relation to the organisation – it should normally match the scope of the ISMS being certified.
In the case of large organisations, auditors may need to review how the ISMS is implemented in each business location.
If it’s not possible to review every location, you should at least take a representative sample.
During the pre-audit survey, auditors should also identify and contact the main stakeholders in the ISMS to request any documentation that will be reviewed during the audit.
2. Planning and preparation
After agreeing the ISMS audit scope, auditors must break it down into greater detail.
This involves generating an ISMS audit workplan, in which the timing and resourcing of the audit is agreed with management. Conventional project planning charts, such as Gantt, may prove helpful.
Audit plans identify and put boundaries around the remaining phases of the audit, and often include ‘checkpoints’ that detail specific opportunities for auditors to provide informal interim updates to managers.
Such updates allow auditors to raise concerns regarding access to information or people, and for management to raise concerns regarding the audit process.
You must specify the timing of important audit work so that you can prioritise aspects that you believe pose the greatest risk should the ISMS be found inadequate.
Once an ISMS audit workplan has been generated, auditors must gather evidence by interviewing staff, managers and other stakeholders associated with the ISMS.
They should also review ISMS documents, printouts and data, and observe ISMS processes in action.
Audit tests will need to be performed to validate evidence as it is gathered, as well as audit work papers documenting the tests performed.
The initial stage of fieldwork typically involves the auditor reviewing documentation relating to and arising from the ISMS.
Their findings may indicate the need for specific audit tests to determine how closely the ISMS follows the documentation in relation to ISO 27001.
The audit evidence should be sorted, filed and reviewed in relation to the risks and control objectives.
Occasionally, analysis may identify gaps within the evidence or indicate the need for more audit tests, which will involve further field testing.
This essential component of the audit process typically consists of:
- An introduction clarifying the scope, objectives, timing and extent of the work performed;
- An executive summary indicating the key findings, a brief analysis and a conclusion;
- The intended report recipients and, where appropriate, guidelines on classification and circulation;
- Detailed findings and analysis;
- Conclusions and recommendations; and
- A statement from the auditor detailing recommendations or scope limitations.
The draft audit report should be presented to and discussed with management. Further review and revision may be necessary, because the final report generally involves management committing to an action plan.
For further practical advice, our Certified ISO 27001 ISMS Lead Auditor Live Online Training Course is ideal for anyone conducting internal and external audits.
Here you’ll develop the skills to plan, execute and report second-party (supplier) and third-party (external and certification) audits.
A version of this blog was originally published on 27 November 2017.