Planning Your ISO 27001 Audit Programme

Sadia Nisar
|
Information Security Consultant at URM
|
PUBLISHED on
19 Apr
2024

An ISO 27001 audit is an evaluation process that not only demonstrates the stability and effectiveness of your organisation’s information security policies, processes and procedures, but also drives you toward building a more effective and healthy information security management system (ISMS).   The planning, establishment, implementation, and maintenance of a regular audit schedule is also a requirement of ISO 27001 and therefore necessary to maintain conformance to the Standard.

To plan an effective ISO 27001 audit programme, you will need to understand how, where, when, and by whom the audits will be performed.  You will also need to understand the types of audit that exist, their structure and how to define the audit’s scope and criteria, all of which will be covered in this blog.

An ISO 27001 requirement

Clause 9.2 of ISO 27001 requires certified/conforming organisations to conduct internal audits, specifying that:

  • The audits need to be planned at suitable intervals, defined, and documented
  • The audit programme needs to be appropriate to your organisation
  • Audit results need to be documented, and any information retained.

As well as being a requirement under Clause 9, the outputs from the audit will inform the corrective actions and continual improvements you implement under Clause 10.  As such, audits are a vital activity for meeting the requirements of multiple ISO 27001 clauses and are absolutely key to improving your ISMS.

Types of audits

There are three types of audits which are known as first, second and third-party audits.  First party audits are otherwise known as internal audits and can be conducted by the organisation themselves or they can be outsourced to a third party.

Third-party audits are a type of external audit (i.e., not conducted by the organisation) and are usually carried out by a completely independent third party, for example a certification body (CB) conducting an assessment of an organisation’s ISMS to determine whether it meets the requirements of the ISO 27001 Standard.  If it does, the CB will then recommend the organisation for ISO 27001 certification or recertification. External audits can also be conducted by interested parties (such as partners or customers) seeking assurance of the ISMS’ conformance to ISO 27001 and of the organisation’s good practices.  These are known as second-party audits, and whilst they will not result in certification as only a certification body can provide this, they may help fulfil business requirements and criteria set by the interested party.  For more information about interested parties and ISO 27001, read our blog on How to Meet the ISO 27001 Requirements around Interested Parties.

Audit programme benefits

As mentioned above, internal audits are a requirement of ISO 27001 and must be conducted in order to achieve and maintain certification. However, aside from their status as a certification requirement, audits can provide a range of benefits to your organisation.  Audits will measure and assist with the improvement of the conformance of your ISMS to the Standard and will increase the level of awareness around information security and the ISMS among management and your staff. They can highlight both adherence to best practice and risks that exist within organisational processes, and will enable you to identify any areas where processes are not currently being followed.  Audits can also provide information for management reviews, the basis for root cause analysis of any issues captured, and can provide input into your risk management process by determining the effectiveness of controls. Audits can ultimately help you improve customer satisfaction and avoid reputational damage by reducing the likelihood of errors, which may lead to breaches or complaints.

Key factors in audit preparation

There are several key factors you will need to consider as you start to prepare for an audit, including:

  • Size and complexity of the organisation – This may include the number of physical locations, people, interdependencies of the business, data, products, and services.
  • Key functions and processes – Systems, planning and development, marketing and sales, demand and supply, along with customer and supplier management.
  • Scope – This defines the boundaries of your organisation and will include any interdependency on external factors such as suppliers, processes, and any legal requirements.
  • Availability of auditees and auditors – The staff members (auditees) both at the senior and managerial level to be interviewed and the audit team member (auditor) available on the day of the audit.
  • Degree of assurance required – This provides a level of confidence to your organisation on the validity, accuracy, and completeness of the audit programme.
  • Auditor competence – The auditor must be knowledgeable of audit principles, practices, and techniques, along with the subject matter.
  • Auditor independence or impartiality – The auditor’s opinions and assessments must be impartial and free from conflicts of interest.
  • Incidents – Incidents that have been captured, reported and those that have been addressed.
  • Previous audit findings – Having access to a previous audit report provides not only clarity, direction and understanding, but will also allow the auditor to add any outstanding findings to the current report

.

Audit methodology

It is important for your organisation to document its audit methodology and establish key criteria against which all audits will be performed. This will ensure that audit outcomes will be comparable.  Some key elements that need to be included in your audit methodology are as follows:

  • Interviews (what we are told happens) – The auditor will interview those individuals responsible for elements of the management system, as well as those who are responsible for implementing and managing controls.
  • Documentation (what is supposed to happen) – These documents are usually policies, processes and procedures that document what is supposed to happen.  This can be compared with what we are told in the interviews to determine if processes are working as expected.
  • Records (what happened – linked to the degree of assurance required) – Records provide evidence that policies, processes and procedures have actually occurred in the way that they are required to take place.  Generally, we would expect the records to align with what we are told in interviews.  Records can be a range of different things including paper documents, electronic documents, CCTV footage, systems logs, etc.
  • Sampling – Sampling is used to reduce the need to look at every iteration of something.  For example, if you are performing an audit against the starters and leavers process, all new starters and leavers should have followed the same process.  In an organisation that has a high staff turnover, the auditor could select just a representative sample of starters and leavers rather than looking at all the records. Characteristics of the sampling approach should include:
    - The sample is randomly selected to avoid accusations of bias.
    - The sample should be representative of risk priority - the higher the risk, the greater the sample number and vice versa.
    - The auditor should determine samples, again to avoid bias.
    - If results are ambiguous, the audit size should be increased.
    - If there is a high degree of consistency and repetition, consideration can be given to reducing the sample size.
    - Linked to the degree of assurance required.  The greater the assurance is required by management, the larger the sample size should be.

Determining scope and criteria

One of the earliest steps necessary in establishing your audit programme is determining the scope of audits.  This will help determine how much time, travel, resources, etc. will be required to complete the audit.  Your scope will also help you define what the audit needs to evaluate (systems, processes, procedures, policies, and controls), also known as the scope inclusions, as well as the scope exclusions, i.e., which elements can be excluded or performed in future audits.  Your scope should also include your justification, i.e., the reason and need for the audit (certification or re-certification, surveillance audit, planned or unplanned).

Meanwhile, the criteria define the factors against which the scope inclusions are evaluated and, in the context of an ISO 27001 audit, this will generally be the Standard itself and your organisation’s documented policies, processes and procedures.  Put simply, audit criteria are those things within the Standard, as well as policies, processes and procedures, that your organisation will be expected to meet.  Meanwhile, the audit procedure itself is conducted with the aim of determining whether the criteria have been met or not.  

ISO 27001 states:

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system (ISMS):

  1. conforms to
    A) the organisation’s requirements for its ISMS
    B) the requirements of this International Standard, and
  2. is effectively implemented and maintained

Therefore, the audit criteria are:

  • Mandatory clauses from ISO 27001
  • Applicable controls from Annex A of ISO 27001
  • Other controls as noted in the Statement of Applicability
  • Organisational policies, processes, procedures, and standards.

The auditor will determine the audit scope and criteria at the beginning of the process and makes these the basis for performance evaluation and report writing.

Logistics considerations

Once the scope and criteria are set, there are further, logistical aspects that you will need to consider in order to ensure the audit programme runs smoothly.  You will need to consider, for example, your physical location.  If an in-person audit is required, are there auditors available in the area and are the available auditors competent?  Will you require interpreters, translators, technical specialists, or guides?  Is the timing of your audit convenient, or will it overlap with a holiday season or a busy period?  These, and other important logistical questions, can be make or break a successful and seamless audit.

Prioritising audits

ISO 27001 audits should be performed at regular intervals and are typically structured around a 3-year schedule, as per the lifecycle of your ISO 27001 certification.  The priority, frequency, and intervals between audits can vary based on a number of factors relating to the context of your organisation.  As a rule of thumb, if you have identified a high level of risk in your risk assessment, an incident has occurred previously, or if nonconformities have been identified in your previous audit, it is advisable for you to conduct more frequent audits and to audit sooner rather than later.  The criticality of processes, and your management, legal and regulatory, and contractual requirements will also come into play when you prioritise and plan your audit schedule.  However, it is important to ensure that all elements/controls are audited within the 3-year certification cycle.  

The audit programme must be structured considering the following:

  • The audit programme should be dynamic and flexible
  • Adjust the audit programme as required, based on rules of thumb defined above.

The audit process is quite flexible and dynamic, and can be adjusted as required.  For example, if there are poor audit results in certain areas of your organisation, these areas might be more frequently audited than those that have performed well in previous audits.

Managing audits

Once the audit programme has been established, you will need to ensure it is properly managed and maintained.  Best practice dictates that the audit programme should be approved by an appropriate authority, assigned to one or more individuals and, if there is more than one auditor, have a lead auditor appointed.  The audit should also follow established procedures and be monitored and reviewed at appropriate intervals.  When reviewing the audit programme, you will need to consider whether it is meeting its objectives; in essence, you should be ‘auditing the audit process’ and looking to identify any opportunities for its improvement.

Meanwhile, you will need to retain records of the audit programme and audit programme review, details of the audit team, records which validate their competency and, of course, of the audit reports that are produced, including any nonconformities, corrective action tracking and follow-up audit reports.

How URM can help?

With nearly 2 decades of experience assisting organisations to achieve and maintain certification to ISO 27001, URM is ideally placed to support your organisation with planning and implementing an audit programme, and/or by conducting an ISO 27001 internal audit in line with your established audit programme against any aspect of the ISMS or controls. As well as being subject matter experts, URM’s team of experienced and qualified ISO 27001 consultants are all skilled in best practice audit techniques and can demonstrate the necessary competence and impartiality required for an effective and ISO 27001 conformant audit.

However, URM’s ISO 27001 consultancy capabilities extend far beyond the audit; we can provide both full lifecycle services, or a more specific service if you only require assistance with certain aspects of your certification/conformance project.  For example, a URM ISO 27001 consultant can conduct a gap analysis of your existing policies, processes, controls etc. against the requirements of the Standard, and assist you to conduct your risk assessment.  Drawing on the outputs of the risk assessment, we can help identify, develop and implement the most appropriate policies and processes to allow your organisation to conform/certify to ISO 27001, while always making sure to align these policies and processes with your organisation's existing culture and practices.  We can help you establish a framework and management system and provide full implementation support, either by taking the lead or on a lighter-touch, advisory basis, depending on your preference.

Sadia Nisar
Information Security Consultant at URM
Sadia is an Information Security Consultant at URM with extensive experience in providing ISO 27001 consultancy, implementation support, and conducting ISMS audits, as well as in facilitating Cyber Essentials assessment.
Read more

Are you planning your ISO 27001 audit programme?

Find out what you will need to carry out in order to have an effective ISO 27001 auditing function and programme
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How do You Avoid Information Security Breaches?

With the news often including stories regarding high-profile information security breaches, many of us find ourselves asking how we can avoid it.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How do you Identify and Then Manage Your ISMS Scope?

When managing the security of your organisation’s information assets, you will need to consider the scope of what you are doing.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
3/7/2023
ISO 27001 vs SOC 2 - Part 2

2nd part of question and answer session where URM compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
After a bad experience with a previous provider, we looked to URM for QSA support. The URM QSA we have worked with is phenomenal, and considerably better than our previous QSAs. My team enjoy working with him, and find him to be extremely credible and effective. Whenever we have asked our QSA and account manager whether additional work is required outside of the annual cycle, there has never been a hard sell of any of URM’s services, and instead offer advice based on our compliance requirements and business needs. Our URM QSA always consults with the aim of making compliance as straightforward as possible, and pointed us towards a way of significantly minimising and streamlining our assessment scope that neither we nor our previous PCI DSS consultancy provider had considered.
CISO at University of Surrey
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.