If you are going for ISO 27001 certification or you are already certified then you are going to have to perform internal audits.
Internal audits are part of the continual improvement process. They check that everything is working as it should and identify any areas that could be improved.
I am Stuart Barker the ISO 27001 Ninja and this is everything you need to know about ISO 27001 internal audit.
Table of contents
- ISO 27001 Audit Toolkit
- How to conduct an ISO 27001 Internal Audit : The Information Security Managers Guide
- Conducting the internal audits
- Report your audit findings
- Update the Incident and Corrective Action Log
- Update the Audit Schedule
- Step by Step Guide to ISO 27001 Internal Audit
- ISO 27001 Internal Audit Walkthrough
ISO 27001 Audit Toolkit
Before we look at the step by step guide lets consider some helpful templates. The ISO 27001 Audit Toolkit includes everything you need to conduct ISO 27001 audits and ISO 27001 gap analysis.
How to conduct an ISO 27001 Internal Audit: The Information Security Managers Guide
Creating your audit plan
Document: Audit Plan
The audit plan document allows you to plan both the internal and external audits for the year and to record when those audits took place.
You will complete the audit plan for the year ahead. Remembering that audit is based on risk the following are considerations when planning audits:
- Plan your external audits first. These represent anchor points and give you a goal and target by which your internal audits should have completed.
- The entire ISMS and the Annex A / ISO 27002 controls require auditing at least once in a 12-month period.
- When considering if an area requires auditing more than once consider if the control represents a high-risk area or a significant incident or failing has occurred with the control in the last 12 months.
- Update your document version control.
- Remember to audit both the ISMS and the ANNEX A controls
The following are the high-level areas that require audit. In the audit working document these are both tabs.
- The Information Security Management System
- Performance evaluation
- The Annex A Control Areas
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier Relationships
- Information security incident management
- Information security aspects of business continuity management
Updating the audit plan
The audit plan is updated based on changes and scheduling requirements. The following are usual scenarios when the audit plan will require updating.
- Staff availability changes.
- Your audit plan slips.
- You have a significant incident.
When the audit plan changes it should be presented at the next Management Review Team Meeting and recorded in the minutes of the meeting.
Note: Remember to update your document version control
Conducting the internal audits
Identify the control owners
The RASCI document is used to record who is accountable and who is responsible for the controls. Using this document, you will have recorded the people to speak to. There may be others since the document was created so now is a good time to update the RASCI if needed.
Decide on your audit approach
Audit is based on ‘If it is not written down it does not exist’. Your audit will look for evidence of documents, files, records. You have 3 main options in conducting an audit and you can choose one or a combination of the following:
Speaking to people and seeking answers to questions on controls. Be sure to record the date, time, location and who as well as the notes from the interview. It is best practice though not essential to send the record of the interview to the interviewee stating that if you have misunderstood or misrepresented for them to send you back the changes.
Observation of process and activity
Like an interview you will sit with the person and observe either the systems they use or the operation of the process as they perform it. Follow the same guidelines as for interview.
Review of documents and records
Speaking to control owners you will ask them to send you links to or copies of the documentation and records that make up the control. It can include screenshots. You are looking for the evidence of the operation of the process and control.
Contact the Control Owners
Make contract with the person or persons that you are going to audit. Introduce yourself and explain the context of what you are going to do, what you are going to cover in the audit and what the outcome will be. Explain to them your approach to the audit based on the 3 options discussed when deciding your audit approach. Ask them for the best times and dates for holding a 1-hour meeting to conduct the audit and be flexible to their schedule. You want the person onside and comfortable.
Arrange the Audit Meeting
Your audit meeting can take from 10 minutes up to 1 hour depending on the maturity of the process and the availability of the evidence. Schedule your first meeting for 1 hour.
Create and send an agenda that covers:
- The time, location, and attendees
- The details of the control objectives you will cover.
- The list of documents or types of documents and records you would like access to
Send the agenda and the meeting request in good time and be prepared to reschedule based on people’s availability.
Save a copy of the agenda in the audit folder for your records.
For a face-to-face meeting ensure that the meeting takes place in location with a screen on which the person can display any relevant documents.
For a web-based meeting ensure your environment is set up for a professional level meeting and your technology is properly configured. If sharing a desktop be sure that no confidential documents are open, that notifications are disabled, that chat is disabled.
Conduct your first meeting
Introduce yourself and explain the context of what you are doing, the agenda and what you are hoping to achieve. Explain the audit approach that you have decide to take. Explain that this is not a test, that not knowing an answer is perfectly acceptable and that a follow up meeting can be arranged for any gaps or documents can be shared after the meeting.
Perform the audit
Maintaining one document through out the year that you add to with each consecutive audit is good practice. Within a 12-month period you will have completed all audits, with the dates of each audit recorded next to each control. Be sure to keep version control and update the version control section.
Go to the section of the document that relates to the audit you are conducting.
For each control
- Read the control objective.
- Clarify what the control objective is hoping to achieve.
- Gain comfort that there is an understanding what the control objective is hoping to achieve.
- Consider verbally providing examples of the types of documents, records, processes that typically satisfy this control as a guide.
- Update the Date Last Assessed Column to the date the audit.
- Update the Evaluation Method Column to the Audit Approach you are taking.
- Complete the positive and negative columns with comments on the findings that you are presented with and can evidence. Where you are provided documents record the name, version, and location.
- Make your assessment and record your Rating.
After the Audit Meeting
If there are items that were not able to be covered and require follow up repeat the above process until you are satisfied you have covered all control objectives and reviewed all available evidence.
Report your audit findings
Either in person or digitally present your audit findings to the person (s) audited. Seek agreement that it represents what was discussed and the reality as they see it or clarifications they would wish to make. It may be that you have misunderstood something or that further evidence is available but was not provided on the day.
Be clear that the findings are not a reflection on any individual or their role and are not a comment on the operation in either a positive or negative way. Explain the findings are objective based on evidence provided. Where there is a request to provide additional supporting evidence consider setting a time limit.
To Management Review Team
Document: Audit Report – TEMPLATE
Complete the audit summary report for management.
Audit reports are presented to the Management Review Team and the Management Review Team Meeting.
Ensure that the agenda and the minutes of the Management Review Team Meeting reflect the audit that you conducted and are reporting out.
Update the Incident and Corrective Action Log
Update the Incident and Corrective Actions Log with nonconformities and the corrective actions.
Consider if a new risk is required on the risk register and to be managed as part of the risk management process.
Update the Audit Schedule
Update the audit schedule to show that the audit that was conduct.
Update the forward schedule for future audits as required based on the outcome of this audit. If Non-Conformities were observed, consider scheduling a reaudit in 3 months time.
Update all document version control information.
Step by Step Guide to ISO 27001 Internal Audit
Time needed: 4 hours and 30 minutes
How to conduct an ISO 27001 Internal Audit
- Update your audit plan for the year
The audit plan is based on risk and also availability. This is an admin step that is required. Consider which areas are the most risky to your business and plan to audit them more than once. Be sure to plan all your audits for the year so that you have done at least one pass of all controls before your external audit happens. Add the external audit to the plan.
- Identify the control owners
To be able to conduct an audit you need to know who to audit. The RASCI matrix is a great tool to record this but if you do not have one then list the control areas in a spreadsheet and record who is responsible for them.
- Decide on your audit approach
We work on the principle that if it is not written down it does not exist or did not happen. Consider the approach you will take. You can review records and documents, you can interview people, you can observe people operating a process or you can do a combination.
- Contact the Control Owners
Speak to the people that own the controls and take time to explain what you are going to do, why you are going to do it and what they can expect.
- Arrange the audit meeting
Arrange the audit meeting at a time to suit everyone.
- Conduct Your First Meeting
At your first meeting you will introduce yourself and explain what you are doing, why you are doing and what they can expect.
- Conduct the audit
- Create your audit report
Taking the raw data from the audit worksheet create a management report of your audit findings. Include key findings and observations. It may be appropriate to put forward recommendations for improvement if you know them or record there is a gap that needs to be addressed.
- Report your audit findings
The cycle of reporting is to first send the report to the person that you audited. This allows for them to provide additional information if your results are in dispute. Once the final report is created then this is shared at the next management review meeting and the process of continual improvement starts.
- Update the audit plan
Update the audit plan to show that the audit was conducted. Update any document version control.