One of the most significant tasks in earning your ISO 27001 certification is the internal audit. The audit must be conducted by an ISO-trained professional and is required to complete the initial certification in addition to annual renewals. One of the core functions of the audit is to verify continuous ISO compliance within your ISMS. It also mandates that the organization conduct internal audits at planned intervals to confirm that an organization's ISMS conforms to its own set standards, in addition to ISO requirements. The entire internal audit will be completed once every three years of the ISO 27001 certification cycle, ensuring that you remain compliant. While this is the required frequency of audits, completing the entire process each year can be beneficial. By conducting annual audits, you can view how the business works in practice and continuously reevaluate risks and the effectiveness of your ISMS. Overall, this is much more effective than a surface-level surveillance audit.
Many believe that this audit merely consists of completing a checklist, but it is more thorough than that. The audit should be derived from the issues, scope, locations, departments, processes, risk, and Statement of Applicability. The audit function is detailed explicitly in Clause 9.2 of the ISO 27001 standard. Per this clause, each organization must complete the following steps:
- Plan, establish, implement, and maintain an audit program. This will include methods, responsibilities, requirements, reporting, and frequency.
- Define audit criteria and scope for each audit.
- Select auditors and conduct audits that ensure objectivity and impartiality.
- Ensure that audit results are reported to relevant management.
- Retain documented information as evidence of the audit program and results.
It is important to note that while it may seem beneficial to perform your own internal audit, this is not the best practice. For many organizations, the individual who would complete the audit process is also in control or ownership of the controls being audited. This serves as a conflict of interest as it would render the audit insufficient. To combat this, it is best to outsource the internal audit to CPA firms that possess the proper knowledge and experience of ISO 27001. With that being said, we will move into the five steps to completing the internal audit.
5 Steps to Completion
First and foremost, you should read and review the documentation you created when implementing your ISMS. This is essential as the scope of your audit should match that of your organization and doing so will set clear parameters for what needs to be audited, ensuring that time is spent efficiently. Defining the scope of your audit is also crucial to ensure that all relevant components of your ISMS and organization are adequately prepared for the audit. During this, you should also identify the main stakeholders in the ISMS, defining who is responsible for which controls and processes. This will allow you to quickly request any documentation required during the audit from the corresponding individual.
The next step will be where the audit activity begins to take shape; the audit plan. At the very least, the audit plan will include the scope of the audit, the name of the auditors, and the dates, times, and locations of the audit. Before creating a robust audit plan, you should communicate with management to agree on timing and resourcing for the audit. Both auditors and management should create a detailed checklist of what needs to be completed. This should include establishing set checkpoints at which you will provide interim updates to the board. Meeting with management at such an early stage will allow both parties the opportunity to raise any concerns they may have.
Following the audit plan is the field review. This is the stage when the practical assessment of your organization will take place. Auditors will complete fieldwork for the entire company, talk with team members, check equipment and observe the ISMS. During this, you will need to observe how the ISMS works in practice by speaking with front-line team members. This serves as the evidential sampling and interview process and will ensure that all team members are aware of the audit and have gathered the necessary documents and evidence to conduct it. You will also need to perform audit tests to validate evidence as it is collected, complete audit reports to document the results of each test, and review ISMS documents, printouts, and other relevant data.
In the analysis stage, evidence that has been collected should be sorted and reviewed in relation to your organization’s risk treatment plan and control objectives. This step is necessary for the audit to assess and analyze the findings to determine any nonconformities or opportunities for improvement. Occasionally, this could reveal gaps in evidence or indicate the need for more audit tests, which you should conduct accordingly.
Findings will typically be categorized in one of three ways; major nonconformity, minor nonconformity, or opportunity for improvement. Additionally, some certification bodies may use observation and positive points to categorize findings. Observations will identify where there are early indications that a minor nonconformity may exist or develop if no action is taken. Positive points will identify where an organization has gone beyond recognized good practice or where there has been improvement since a previous audit.
The final stage of the ISO 27001 internal audit is the report. The report serves to deliver evidence of the audit results, demonstrating to involved parties that the audit has been completed and is in compliance with ISO standards. You will need to present the audit’s findings to management. As such, your report should include five primary findings;
- An introduction clarifying the scope, timing, objectives, and extent of the work performed.
- An executive summary covering key findings, a robust analysis, and a conclusion.
- The intended recipients of the report and guidelines on circulation and classification.
- An in-depth analysis of the findings, conclusions, and recommended corrective measures.
- A statement detailing recommendations or scope limitations.
It is important to note that review and revision may be needed as the final report typically involves management committing to an action plan.
With these five steps completed, you will be well on your way to a successful and meaningful internal audit. Thoroughly preparing your organization for the audit will ensure a strengthened ISMS and ISO 27001 compliance, allowing you to earn and maintain your ISO 27001 certification. Keep in mind that this audit is not a one-off, and it is recommended to conduct one annually. This will guarantee continuous compliance in addition to continually identifying and mitigating risks. Achieving your ISO 27001 certification is a great accomplishment. As an internationally recognized standard of information security, it is a tremendous competitive advantage for your organization. Conducting and completing your internal audit is a significant step to becoming certified, so make sure that you are prepared.
Click below to download our guide on cybersecurity as a competitive advantage.