As data privacy requirements become stricter across all states in the U.S., adoption of the information security standard ISO 27001 is becoming increasingly popular.
Compliance with ISO 27001 requires continual monitoring and regular reviews of your ISMS (information security management system). Testing and assessing your information security measures through an audit is essential to ascertain whether the controls you have implemented are working effectively.
An ISO 27001 audit does not have to be an overwhelming prospect. Effective planning, clear and concise documentation, and a detailed knowledge of the Standard can improve your chances of audit success. By keeping in mind our internal audit checklist, you can transform your audits into a painless process.
What is an ISO 27001 audit?
There are two types of ISO 27001 audit: an internal audit and a certification audit. The former is a periodic, comprehensive assessment of your ISMS to determine whether your processes, procedures, and controls are working effectively and in line with ISO 27001, and should be conducted by a qualified and independent internal auditor. A certification audit is an audit of your ISMS that follows the same principles as an internal audit, but is conducted by an external party in the form of an independent, accredited certification body. Certification audits are usually conducted every three years.
Why do you need an internal audit?
Internal audits are a requirement of ISO 27001, as outlined in Clause 9.2 of the Standard.
Clause 9.2 states that internal audits should be conducted “at planned intervals to provide information on whether the information security management system conforms to:
- the organization’s own requirements for its information security management system; and
- the requirements of this International Standard;”
ISO 27001 audit checklist
Our short ISO 27001 audit checklist will help make audits a breeze.
1. Set the audit criteria and scope
It’s important to set the audit criteria and scope, including the specifics of each audit that is planned, to ensure that the objectives are being met. The details of the audit program should be clearly documented, including the frequency of internal audits, the locations that will be audited (and when), how the audit will be conducted, information about the planning of the audit, and how the results will be reported.
2. Appoint an independent auditor
Any auditor worth their salt will know that they must be an independent party to the implementation project; an auditor cannot audit their own work. One of the main reasons for nonconformity with the Standard is those auditing the ISMS having been involved in implementing corrective actions.
3. Identify stakeholders
Since the ISMS involves the entire organization, identifying the relevant managers to question about aspects of the ISMS, and knowing who to ask questions, are essential.
4. Audit documentation (stage 1)
One of the key requirements of an ISO 27001-compliant ISMS is to document the measures you have taken to improve information security. The first stage of the audit will be to review this documentation. Documentation not only refers to the policies and procedures, the SoA (Statement of Applicability), etc. but also the audit planning documentation, as well as the records taken during the internal audit itself.
When reviewing documentation, you should be jotting down the requirements in parallel. For instance, if you’re reviewing a specific policy or procedure, you should take note of any observations so that you can review whether these are working as intended during the next stage of the audit.
5. Conducting the audit (stage 2)
The second stage of the audit (also called a field review) is to check how the ISMS works in practice, and takes the form of a practical ‘walkthrough’ of the organization. This will involve interviewing managers and employees, reviewing specific equipment, and observing whether procedures are being followed (e.g. do all employees follow a clear desk policy? Are physical security measures in place?). This stage can often take more than a week, depending on the organization’s size and complexity.
The auditor will take detailed notes throughout the process, including whether the organization is complying with specific clauses of the Standard. They will also record the names of individuals interviewed and a summary of what was said, details of any records that were reviewed, and any other observations.
Note that not all controls have to be implemented by the organization – a justification for the inclusion or exclusion of each of the recommended controls from ISO 27002 should be documented in the SoA.
Following the audit, the auditor will document their findings, including a list of any nonconformities observed, and draw up an internal audit report. The purpose of the report is for the organization to identify any corrective actions that need to be addressed so that information security risks are managed appropriately.
The auditor should follow up with the organization to establish whether the corrective actions have been addressed. Only once all the nonconformities have been dealt with can the internal audit cycle be considered complete.
8. Retention of records
All audit documents should be retained by the organization, including the results of the internal audit, according to Clause 7.5.3 of the Standard. These serve as a record of performance and conclusions reached, and will help support future audits.
Free ISO 27001 webinar on how to conduct an internal audit (watch on demand)
Find out about the ISO 27001 internal audit process with Steve Watkins, chair of the ISO/IEC 27001 User Group – the UK chapter of the ISMS International User Group – and technical assessor for UKAS (the United Kingdom Accreditation Service), advising on its assessments of certification bodies offering accredited certification.
This webinar covers:
- The requirements for an internal audit and an internal audit program
- The role of the internal auditor and ISMS audits
- Mandatory documents for reviewing an ISO 27001-compliant ISMS
- An evidence-based approach to reporting, identifying, and compiling nonconformities
- Addressing common audit mistakes and challenges
Need help preparing for an ISO 27001 certification?
Contact us now for support with your internal audit and preparing for certification.