As a part of your ISO compliance, your organization must conduct an internal audit. Internal audits are carried out independently utilizing internal personnel or an ISO consultant with experience and knowledge of your organization and industry. The purpose of the internal audit is to provide information on whether the information security management system (ISMS) conforms to the requirements of your organization and this International Standard and that all processes are implemented and maintained to keep your organization secure.
An internal audit provides the status of your organization's ISMS to top management. It can be used to evaluate and improve the efficacy of business practices and may identify nonconformities, risks, and opportunities. An internal audit ensures that your ISMS conforms to the requirements in ISO/IEC 27001 and your organization's requirements — this includes:
- Requirements stated in the information security policy and procedures
- conditions produced by the framework for setting information security objectives, including outcomes of the risk treatment process
- legal and contractual requirements
- requirements for the management of documented information
- requirements for the effective operation of controls
The extent and frequency of internal audits should be based on the size and nature of your organization as well as the character, functionality, complexity, and level of maturity of your organization's ISMS, however, the annual performance of an internal audit is expected in the industry.
The Audit Criteria, Plan and Program
Audit criteria are a set of policies, procedures or requirements that are used as a reference against which audit evidence is compared. In other words, the audit criteria describe what the auditor expects to be in place. An audit plan describes the activities and arrangements for a specific audit. An audit program describes the overall framework for a set of audits planned for particular time frames and directed towards specific purposes.
The audit program defines the structure and responsibilities for planning, conducting, reporting, and following up on individual audit activities (note: your organization must retain documented information about your audit program and audit results). An audit program should include documented information about: audit criteria, audit methods, selection of audit teams, processes for handling confidentiality, information security, and health and safety provisions for auditors to ensure:
- Audits are appropriate, have the proper scope, minimize the impact on the organization's operations, and maintain the necessary quality of audits.
- The competence of the audit teams, the appropriate maintenance of audit records, monitoring and review of the operations, and the risks and effectiveness of the audits
- That the ISMS (relevant processes, functions, and controls) is audited within a specified time frame
- The inclusion of documented information about types, duration, locations, and schedule of the audits
The audit program should be designed to ensure coverage of all necessary controls and include an evaluation of the effectiveness of selected controls over time. The effectiveness of the implemented controls should be examined within the scope of your internal audits. Essential controls should be included in every audit, and controls implemented to manage lower risks may be audited less frequently. The audit program should also consider that processes and controls should have been operating for some time to evaluate relevant evidence.
Vanta includes a lightweight template for planning and designing your internal audit programme in accordance with ISO 27001 requirements.
Competence and evaluation of auditors
Auditors selected should be competent, independent, and adequately trained. Your organization should:
- identify competence requirements for its auditors
- select internal or external auditors with the appropriate competence
- have a process in place for monitoring the performance of auditors and audit teams
- include personnel on internal audit teams that have proper sector-specific and information security knowledge
Selecting internal auditors can be difficult for smaller companies — if the necessary resources and competence are not available internally, external auditors should be appointed. If using external auditors, your organization should share contextual knowledge about the organization from the internal staff.
Internal employees acting as internal auditors may be able to perform detailed audits with regard to the organization's context, but they may not have enough knowledge about performing audits. Your organization should recognize internal versus external auditors' characteristics and potential shortcomings and establish suitable audit teams with the necessary knowledge and competence.
Performing the audit
When performing the audit, the team leader should prepare an audit plan considering the results of previous audits (e.g., the need to follow up on previously reported nonconformities and unacceptable risks).
The audit plan should be retained as documented information and should include criteria, scope, and methods of the audit, including:
- adequacy and effectiveness of processes and determining controls
- fulfillment of information security objectives
- compliance with requirements defined in ISO/IEC 27001:2013, clauses 4 to 10
- compliance with the organization's information security requirements
- consistency of the Statement of Applicability against the outcome of the information security risk treatment process
- consistency of the actual information security risk treatment plan with the identified assessed risks and the risk acceptance criteria;
- relevance (considering the organization's size and complexity) of management review inputs and outputs
- impacts of management review outputs (including improvement needs) on the organization
If the audit outcome includes nonconformities, the auditee should prepare an action plan for each nonconformity. A follow-up action plan typically includes:
- description of the detected nonconformity
- description of the cause or causes
- description of short-term correction and longer-term corrective action to eliminate the detected nonconformity within a defined timeframe
- the persons responsible for implementing the plan
Results of the previous audits should be reviewed, and the audit program adjusted to manage better areas experiencing higher risks due to nonconformity.
For additional information, see:
- ISO 27001 to understand the specific control language that needs to be satisfied
- ISO 19011 for general guidance on auditing management systems, the principles of auditing, managing an audit program and conducting management system audits, and advice on the competence of persons or groups of people involved in the audit.
- ISO/IEC 27007 for specific guidance on managing an ISMS audit program, conducting the audits, and on the competence of ISMS auditors.
- ISO/IEC 27008 for guidance on assessing information security controls.