Internal Audit

Section 9.2 of ISO27001 goes into detail on what you need to deliver to be compliant with the Internal Audit requirement. What does all of this mean?

Think of the internal audit in the same way as you would your formal external certification audit. It is a time for your ISMS to take a deep, hard look at the internal workings of the ISMS and identify any gaps that need to be addressed.

Plan the internal audit

Typically, you can schedule your internal audit to happen once per year (roughly at the midway mark of your external certification visit). This timing ensures you have adequate time to address any findings before your external audit.

Who should conduct it?

The auditor for the internal audit needs to be impartial to the ISMS. If your organization is large enough, you may be able to nominate an auditor from a different business unit that has no stake or interest in the operation of your ISMS. You could also enlist the support of a third-party consulting company to assist you with the audit.

Key characteristics of an internal auditor: - Independence: Must not be responsible for the area being audited - Competence: Should understand ISO27001 requirements and audit principles - Objectivity: Must be able to provide unbiased assessment

What is the scope?

The internal audit scope should cover:

Audit Criteria: - ISO27001:2022 requirements - Organization's ISMS policies and procedures - Applicable legal and regulatory requirements - Contractual obligations

Audit Scope: - All processes within the ISMS scope - All locations covered by the ISMS - All departments and functions within scope - Review of risk assessments and treatments - Effectiveness of controls - Management review processes

Audit Process

Pre-Audit Activities

  1. Audit Planning: Develop an audit plan including scope, criteria, methods, and schedule
  2. Document Review: Review ISMS documentation, policies, procedures, and previous audit reports
  3. Stakeholder Communication: Inform relevant personnel about the audit schedule and requirements

Conducting the Audit

  1. Opening Meeting: Explain audit objectives, scope, criteria, and methods to auditees
  2. Evidence Collection: Through interviews, document reviews, and observations
  3. Findings Documentation: Record any non-conformities, observations, and positive findings

Audit Methods

  • Interviews: With personnel at various levels
  • Document Review: Policies, procedures, records, and evidence
  • Observation: Of processes and activities in action
  • Sampling: Representative selection of evidence

Things to look out for

Is the ISMS working?

Key questions to assess ISMS effectiveness: - Are policies and procedures being followed? - Are controls operating as intended? - Are metrics and measures providing meaningful data? - Is the Plan-Do-Check-Act cycle functioning? - Are improvement actions being implemented?

Security Objectives

Evaluate whether: - Security objectives are defined and measurable - Progress toward objectives is tracked - Objectives align with business goals - Resources are allocated appropriately - Results are reported to management

ISO27001:2022 Compliance

Check compliance with all relevant clauses: - Clause 4: Context of the organization - Clause 5: Leadership and commitment - Clause 6: Planning (including risk assessment) - Clause 7: Support (resources, competence, communication) - Clause 8: Operation (risk treatment, controls) - Clause 9: Performance evaluation (monitoring, internal audit, management review) - Clause 10: Improvement (non-conformity, corrective action)

Common Audit Findings

  • Incomplete risk assessments
  • Controls not operating effectively
  • Missing evidence of control execution
  • Inadequate document management
  • Insufficient training records
  • Management review not covering all required topics

Dealing with findings

Types of Findings

  1. Non-conformity: Failure to meet a requirement
  2. Observation: Potential improvement opportunity
  3. Positive Finding: Evidence of good practice

Reporting to Management

The audit report should include: - Executive summary of audit results - Details of non-conformities and observations - Evidence supporting findings - Recommendations for improvement - Conclusion on ISMS effectiveness

Root Cause Analysis

For each non-conformity: - Identify the immediate cause - Determine the root cause - Develop corrective actions - Implement and verify effectiveness - Prevent recurrence

Follow-up Actions

  1. Corrective Action Plans: Address non-conformities with specific timelines
  2. Responsibility Assignment: Designate owners for each action
  3. Progress Monitoring: Track implementation status
  4. Verification: Confirm corrective actions are effective
  5. Closure: Close findings when satisfactorily addressed

Documentation

Maintain records of: - Audit program and plans - Audit reports - Non-conformity reports - Corrective action plans - Evidence of corrective action implementation - Follow-up audit results

Continuous Improvement

Use internal audit results to: - Identify trends and systemic issues - Improve ISMS processes - Enhance audit program effectiveness - Provide input for management review - Support certification maintenance

The internal audit is a valuable tool for ensuring your ISMS remains effective and aligned with ISO27001:2022 requirements while driving continuous improvement within your organization.