ISO 27001 Internal Audit
What is an ISO 27001 internal audit?
An internal audit is quite simply an opportunity for an organisation to take an ‘inwards look’ to assess how well it is performing against internal systems, policies, procedures etc. If we apply this to ISO 27001, it provides you with an opportunity to review the effectiveness of your information security management system (ISMS) to try to identify any areas of concern before they develop into more significant problems.
The implementation and effective running of your ISMS will require a commitment from all your organisational staff, to varying degrees. The business environment is constantly changing, and your ISMS will frequently need to be ‘tweaked’ and modified in line with these changes.
An internal audit, also referred to as a first party audit, provides an opportunity to review your ISMS and confirm its continued suitability. If your organisation is certified to ISO 27001, conducting audits is a mandatory activity that is required as part of the continuous improvement model.
How can your organisation meet the internal auditing requirement of ISO 27001?
The ISO 27001 Standard requires that internal audits are conducted at planned intervals. On the face of it, this gives organisations a degree of flexibility in the frequency that they carry out internal audits. The Standard, however, does provide some clarity when it states that the frequency of the internal audits should be influenced by the importance of organisational processes. This risk-based approach effectively means that the areas where you may suffer the consequences of an oversight ‘first and worst’ should be audited more frequently than the more routine areas.
The Standard also requires that the frequency of internal audits should be aligned with the results of previous audits. If an area or department, for example, is continually giving cause for concern, it would be sensible to audit it a little more often. Conversely, if a department is consistently demonstrating high levels of performance, there are grounds for reducing the frequency of audits.
Internal audits should also be conducted by auditors who are objective and impartial to the process or activity being reviewed.
The objectivity element requires that findings are based on tangible evidence, not ‘gut feeling’. Any concerns raised during an audit should be backed up by such evidence.
The impartiality requirement means that you should not be involved in an audit of your own department or documentation. This aspect can bring about considerable value from a ‘second set of eyes’ review of how your department conducts its business.
How can an organisation conduct internal audits on an ISMS to comply with ISO 27001?
Your organisation should aim to conduct internal audits on the mandatory clauses of the Standard, Annex A controls, other relevant controls, and your own organisational processes that support the implementation of your ISMS. The Standard promotes the use of a risk-based approach to auditing, i.e., the areas that are likely to suffer the greatest impact of a risk or is the most vulnerable should be prioritised. You should aim to have completed an audit on every element of your organisation at least once over a 3 year period.
What are the ISO 27001 requirements for an internal audit?
Requirements for conducting internal audits are contained within Clause 9.2 of the Standard. This Clause states that your audits are aimed at providing assurance that your ISMS is meeting both your own organisational requirements for your ISMS and the requirements of the Standard itself. Naturally, the first aspect will vary greatly as organisations will adapt their business model to achieve conformity to the Standard. It should be noted that the Standard explicitly prohibits the exclusion of any element of Clauses 4-10 from your ISMS, although some flexibility is granted regarding the Annex A Controls. It is important to remember, however, that the Standard merely specifies requirements; how your organisation interprets and implements these requirements is down to you.
Each internal audit that is conducted must have a defined scope and criteria. The scope of the audit sets the boundaries for your auditors. For example, the scope may be limited to a department or function; naturally the wider the scope of the audit the more time and resources will be required. The criteria for your internal audit is effectively what are we assessing against. Examples of this could be ‘Clauses 4-6 of the Standard’ or ‘a selection of Controls from Annex A’. Another example of an audit criteria could be ‘your own organisational policies’, which have, hopefully, been developed in line with the requirements of the Standard.
These parameters are typically defined by someone who acts as the audit programme manager, someone who has a holistic view of the organisation is able to focus the internal auditors’ energy where it will be most effective.
Finally, the internal audit results and the internal audit schedule must be be documented to provide evidence that audits have been carried out effectively. There are a range of outputs that may be produced following of an audit, including a list of the auditees, the questions that were posed against the specified audit criteria, the findings and the supporting evidence, notes, and ultimately a report that captures the conclusion(s) of the audit. All of these should be retained by your organisation to inform future decisions. Adverse findings may be used to influence the focus and frequency of subsequent audits.
What is the ISO 27001 internal audit process?
The process of conducting an audit typically involves the ‘check’ element of the Plan-Do-Check-Act continuous improvement cycle, though additional guidance is contained in a supporting guidance Standard, ISO 19011. This Standard provides guidance on planning the audit programme, the preparatory activities, the conduct of the audit, subsequent reporting and follow-up actions, and the closure of the audit. Guidance is also provided within ISO 19011 on the principles of auditing and the competence of auditors. (URM has delivered a number of webinars covering all stages of the audit process and recordings can be found here)
Does ISO 27001 require internal audits to be conducted?
Yes - Clause 9.2 of the Standard makes this requirement explicit. Remember, you must audit to assess whether your ISMS is meeting your own organisational requirements as well as the requirements of the Standard and that it is effectively implemented and maintained.
With ISO 27001, what do you audit against?
Organisations are required to conduct audits to provide evidence of conformance to:
- The organisation’s own requirements for its ISMS
- The mandatory clauses of the standard (clauses 4-10)
- ISO 27001 Annex A (and other) controls which are included within the scope of the ISMS
Audits can also be aligned to processes, many of which will be been developed to meet the objectives of your ISMS and will complement the implementation of the clauses and controls of the Standard.
Who can perform an internal audit for ISO 27001?
The value that an internal audit brings to your organisation will be influenced significantly by the choice of auditors that perform it. Your internal audit team will have a significant insight into the context that your organisation operates in and how your organisaton works. This experience can add a huge amount of value, but your audit team members will need additional skills. They will require a good knowledge and understanding of the ISO 27001 Standard and what it is intended to achieve, and how your organisation meets its requirements in a business environment. Auditors should also have received the appropriate audit training and have achieved the necessary qualifications.
It is essential that auditors are impartial to the processes / activities that they are reviewing, this brings the benefit of an independent perspective, and can often lead to greater streamlining of business activities and the implementation of new initiatives.
Auditors should also possess sector specific knowledge and skills. If this is absent, consider providing some technical assistance - this could be from the department that is being audited, and will allow a degree of clarity or explanation on the more technical or complex aspects of your business. The auditor will add little value if they are blinded by science by the complexities of cryptography for example, but with the requisite assistance and explanation, will be able to make a judgement on the suitability of ISMS related business activities.
A successful auditor requires judgement and the ability to evaluate the potential impact of any problems identified. Not every issue will require immediate remedial action. Issues should be evaluated against their potential likelihood or consequence of occurrence, alongside mitigation measures that are already in place.
Staff members who possess these attributes may be mentored by more experienced personnel to ensure they maintain a value-add approach to auditing.
Does an internal audit need to be conducted by someone internal to your organisation?
No, internal audits can be conducted by third parties, such as URM. Please find more information here.
What are the pros and cons of using a third-party organisation?
Pros include impartiality, knowledge of the Standard and expectations of certification body assessors, auditing expertise and qualifications, experience of auditing other similar organisations, and availability.
Cons include less organisational knowledge, (although this could sometimes be considered an advantage as it is less likely that assumptions will be made ) and cost.
How do you conduct an internal ISO 27001 audit?
The responsibility to conduct an audit will typically be delegated by a member of the organisational leadership team. This individual will have a greater oversight of the organisational ‘landscape’ and should provide the Scope and Criteria for the audit. Armed with this, the auditor can then begin to plan the structure of the audit. Typical considerations would be as follows:
- How long have I been allocated to conduct the audit?
- Who would be the best representative to speak to regarding the audit I have been asked to conduct?
- How can I plan my audit with the department to maximise the available time?
- From the Criteria (the ‘what should be’), how can I extract questions that will enable me to investigate to the extent necessary to confirm that this requirement is being met?
- What evidence should I expected to be see, or be presented in support of this investigation (the ‘what is’)?Once you have decided upon a plan for your audit, it is good practice to forward this to the auditee, to enable them to arrange for the relevant people to be available.
Once these (and any other questions) have been answered, the auditor should arrange an opening meeting with the auditee(s). For an internal audit this is likely to be a relatively informal affair, consisting of introductions and confirmation of, or changes to, the audit arrangements.
At the conclusion of this meeting, the audit can begin. Individual staff should be interviewed, processes observed and documentation that has been produced in support of business activities should be reviewed. Auditors should follow an approach of ‘ask, check, verify and record’:
- Ask - ask open questions to begin conversations about the process or system. Listen to the answers provided, as these may lead to further ‘probing’ questions to illicit more detail. If a potential trail appears, providing it does not lead the auditor outside the Scope of the audit, further investigations may be required.
- Check - use additional questions to verify the facts of the auditees comments.
- Verify - look for supporting evidence of what the auditee has said.
- Record - make a note of the evidence of what you have been told, either positive or negative findings, ensure you record as much detail as necessary in the event of a finding, so that your report will lead the auditee precisely to where the problem has been identified.
For more detailed insight and advice on preparing for and conducting internal audits, refer to URM’s webinar recordings.
How do you develop an internal audit checklist for ISO 27001?
Internal audit checklists are sourced directly from the audit criteria. The Standard, or the ISMS will provide direction on how a particular activity should be conducted. The corresponding checklist question would follow a theme of ‘how does your department meet this requirement’ or ‘how do you ensure that this policy is followed”.
Auditors should attempt as far as possible to understand, what a particular requirement of the Standard is aiming to achieve and tailor questions to enable the extraction of the appropriate level of detail. The auditor who quotes verbatim from the Standard is likely to be greeted with confusion by an auditee.
It is worth bearing in mind that the terminology of the Standard will not always be used by business departments, ‘needs and expectations of interested parties’ is more likely to be captured as ‘customer requirements’, ‘business objectives’ may be referred to as ‘departmental goals’, ‘milestones, ‘targets’ or similar.
Once you have used your high-level checklist question to gain an insight into an organisational process, then ask additional questions to extract greater detail and gain corroboration. These additional questions cannot be planned, so the auditor must pay attention to the answers that are received and tailor questions to extract additional detail as required.
Are standards on internal audit mandatory?
The International Organization for Standardization (ISO) has produced a specific standard that provides guidance on conducting audits, ISO 19011, however this is not mandatory from an ISO 27001 perspective.
What standards do internal auditors use?
Whilst ISO 19011 is not mandatory, it is recommended that auditors align to this guidance where appropriate to the specific needs and requirements of their audit programme. Additional standards relevant to ISO 27001 may also be used when auditing individual elements of your ISMS:
- ISO 27007:2020 provides guidance on ISMS auditing and concentrates on Clauses 4-10 of the Standard
- ISO 27008:2019 provides guidance for the assessment of information security controls (Annex A of the Standard).
What are some of the traits or characteristics of an effective auditor?
Here are some valuable traits and characteristics of an effective auditor
- Ethical - fair, truthful, sincere, honest and discreet
- Open-minded - willing to consider alternative ideas or points of view
- Diplomatic - tactful in dealing with individuals
- Observant - actively observing physical surroundings and activities
- Perceptive - aware of and able to understand situations
- Versatile - able to readily adapt to different situations
Who are the typical auditees in an ISO 27001 internal audit?
During an internal audit, an auditor will need to speak to people at different levels and authorities within the business - such as:
- The person who has overall accountability for the process, system or control
- The person who conducts the process on a day-to-day basis
- If auditing the awareness of employees, a random sampling of employees, chosen by the auditor, from different areas of the organisation will be needed
What are the different types of ISO 27001 audits?
There are 3 types of ISO 27001 audits:
- 1st Party - An organisations audit of its own systems (internal)
- 2nd Party - Audits of suppliers, or a potential customer / partner auditing your management system to satisfy their individual requirements (external)
- 3rd Party - Audits by an external independent body, e.g. a certification body (external)
How do you prepare for an ISO internal audit?
In order to prepare for an audit, the following steps should be taken:
- 1Appoint auditors - these must be impartial of the process being audited, avoiding conflicts due to reporting lines and have the correct competencies to conduct the audit.
- Consider notice - identify who the auditee(s) are and establish contact to inform them and schedule interviews, as well as determine if a guide, observer, interpreter or any additional technical expertise is required.
- Management commitment - audits must be supported by management and buy in will aid with the availability of auditees.
Please find more information here.
What are the pitfalls to avoid in conducting ISO 27001 audits?
Some pitfalls to avoid when organising and conducting an ISO 27001 audit include:
- Not communicating the scope and criteria effectively enough for the audit and inadequate planning/confirmation with the departments/areas being audited.
- Allowing auditees to assume control of the audit, potentially avoiding responses to the questions asked
- Not collecting adequate objective evidence to support statements of conformance or nonconformance
- Allowing subjectivity to influence audit findings and conclusions - i.e. not being objective
- Being poorly prepared and not understanding the policies, clauses or controls that are being audited
- Following audit trails that are inconsequential and compromise the ability to conduct the audit in the available timeframe.
What are the different levels of findings/nonconformities?
There are 3 levels of findings which may result from an audit:
- Major nonconformity - a systemic or critical failure of a process to control elements of the management system. These are generally raised against mandatory clauses; however failure of multiple Annex A controls may point to a clause not being in place
- Minor nonconformity - a single or non-critical failures of the process to control elements of the management system. This could be raised against mandatory clauses, Annex A controls or the organisation’s own policies. An aggregation of min nonconformities could be escalated to a major nonconformity, but there is no magic number, it would be conditional upon the aggregation of risks in the area affected.
- Opportunity for improvement - where there has been no nonconformity, but a potential weakness has been noted. There may not be any objective evidence of a nonconformity but in the judgement of the auditor, there could potentially be a problem in the future if this is not addressed.
Nonconformities must have corrective actions planned against them, in order to rectify the problem. An organisational decision may define the timeframe for the production of a corrective action plan, which may vary depending on the severity of the finding (Major or minor nonconformity). It should be noted that this timeframe is for the production of a plan to rectify the problem. The actual resolution of the problem can in some cases take time, however organisations must demonstrate that they are progressing towards closing the finding.
Where an opportunity for improvement has been identified, the organisation should decide if there is a benefit to be realised from addressing this opportunity. It is good business practice to capture opportunities for improvement at subsequent management meetings to provide evidence that this consideration has been given.
What is the difference between a minor
and major nonconformity?
A minor nonconformity is a single or non-critical failure of the ISMS, whereas a major nonconformity is a more systematic or critical failure of a process or key elements of the management system. If your organisation is attempting to gain third-party certification, a major nonconformity may prevent this certification from being granted. However, once your organisation has achieved certification a finding of this nature may result in the suspension of your certification in certain circumstances.
How do you ensure consistency in internal auditing?
To maintain consistency in internal auditing, organisations should implement an internal audit process which clearly sets out the steps to be followed during an audit. This could include:
- Requirements for competency - for example, having undertaken certain training or experience
- Opening and closing meetings - this could include an agenda of items to be discussed to ensure the auditor and auditees have the same understanding, and that any audit findings are discussed at the end of an audit
- Audit report template - this way audit findings and observations can be consistently reported on
Stay in the loop
Please provide your contact details and we will email you with any future changes to ISO 27001 (and the implications!).
What is the CIA Security Triad? Confidentiality, Integrity and Availability Explained
URM’s blog explains how the principles of confidentiality, integrity and availability (CIA) can help align your information security controls with best practice
URM’s blog discusses how to develop and implement an information security policy that fully conforms to both your organisation’s and ISO 27001 requirements.
URM’s blog explains how to plan and execute effective and conformant internal audits of management systems at each stage of the internal audit process.
URM’s blog discusses the common pitfalls of the ISO 27001 implementation and certification process, and how you can avoid making the same mistakes.