Although an internal audit is critical for ISO 27001 compliance, for some organisations the audit process can seem bewildering.
Those looking to plan, lead and execute an ISO 27001 information security management system (ISMS) audit should follow these five stages:
- Scoping and pre-audit survey
Auditors need to conduct a risk-based assessment to determine the focus for the audit, as well as any areas that are explicitly out of scope. Information sources could include industry research, previous ISMS reports or other documents, such as the ISMS policy.
Make sure that the audit’s scope is relevant in relation to the organisation – it should normally match the scope of the ISMS being certified. In the case of large organisations, auditors may need to review the ISMS in operation in all (or at least a representative sample) business locations.
During the pre-audit survey, auditors should also identify and contact the main stakeholders in the ISMS to request any documentation that will be reviewed during the audit.
- Planning and preparation
After agreeing the ISMS audit scope, auditors will need to break it down into greater detail by generating an ISMS audit workplan, in which the timing and resourcing of the audit is agreed with management. Conventional project planning charts, such as Gantt, may prove helpful.
Audit plans identify and put boundaries around the remaining phases of the audit, and often include ‘checkpoints’ that detail specific opportunities for auditors to provide informal interim updates to managers. Such updates allow auditors to raise concerns regarding access to information or people, and for management to raise concerns regarding the audit process.
The timing of important audit work must be determined to prioritise any aspects believed to represent the greatest risks to the organisation should the ISMS be found inadequate.
Once an ISMS audit workplan has been generated, auditors must gather evidence by interviewing staff, managers and other stakeholders associated with the ISMS, reviewing ISMS documents, printouts and data, and observing ISMS processes in action. Audit tests will need to be performed to validate evidence as it is gathered, as well as audit work papers documenting the tests performed.
The initial stage of fieldwork typically involves the auditor reviewing documentation relating to and arising from the ISMS. Their findings may indicate the need for specific audit tests to determine how closely the ISMS follows the documentation in relation to ISO 27001.
The audit evidence should be sorted, filed and reviewed in relation to the risks and control objectives. Occasionally, analysis may identify gaps within the evidence or indicate the need for more audit tests, which will involve further field testing.
This essential component of the audit process typically consists of:
- An introduction clarifying the scope, objectives, timing and extent of the work performed;
- An executive summary indicating the key findings, a brief analysis and a conclusion;
- The intended report recipients and, where appropriate, guidelines on classification and circulation;
- Detailed findings and analysis;
- Conclusions and recommendations; and
- A statement from the auditor detailing recommendations or scope limitations.
The draft audit report should be presented to and discussed with management. Further review and revision may be necessary because the final report typically involves management committing to an action plan.
Learn how to execute audits
For further practical advice, our ISO27001 Certified ISMS Lead Auditor Online Masterclass is ideal for anyone conducting internal and external audits.