How to conduct an ISO27001 Internal Audit

Home / ISO 27001 Tutorial / How to conduct an ISO27001 Internal Audit

Introduction

If you are going for ISO27001 certification or you are already certified then you are going to have to perform internal audits.

Internal audits are part of the continual improvement process. They check that everything is working as it should and identify any areas that could be improved.

I am Stuart Barker the ISO27001 Ninja and this is everything you need to know about ISO27001 Internal Audit.

To understand what ISO27001 has to say about Internal Audit read the ISO27001 Clause 9.2 Internal Audit – Ultimate Certification Guide

ISO27001 Audit Toolkit

Before we look at the step by step guide lets consider some helpful templates.

The best way is to get a copy of the Ultimate ISO27001 Toolkit of which the ISO27001 Audit Toolkit is a part. We have made the ISO27001 Audit Toolkit available standalone.

The ISO27001 Audit Toolkit includes everything you need to conduct ISO27001 audits and ISO27001 gap analysis.

ISO 27001 Gap Analysis and Audit Toolkit

DO IT YOURSELF ISO 27001

STOP SPANKING £10,000s

ISO 27001 Toolkit

How to conduct an ISO27001 Internal Audit: The Information Security Managers Guide

Creating your audit plan

Document: Audit Plan

ISO 27001 Audit Plan Example 2

The audit plan document allows you to plan both the internal and external audits for the year and to record when those audits took place. 

You will complete the audit plan for the year ahead. Remembering that audit is based on risk the following are considerations when planning audits:

  • Plan your external audits first. These represent anchor points and give you a goal and target by which your internal audits should have completed. 
  • The entire ISMS and the Annex A / ISO27002 controls require auditing at least once in a 12-month period.
  • When considering if an area requires auditing more than once consider if the control represents a high-risk area or a significant incident or failing has occurred with the control in the last 12 months.
  • Update your document version control. 
  • Remember to audit both the ISMS and the ANNEX A controls

The following are the high-level areas that require audit. In the audit working document these are both tabs.

  • The Information Security Management System
  • Context
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement
  • The Annex A Control Areas
  • Information security policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development, and maintenance
  • Supplier Relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

Updating the audit plan

The audit plan is updated based on changes and scheduling requirements. The following are usual scenarios when the audit plan will require updating.

  • Staff availability changes. 
  • Your audit plan slips.
  • You have a significant incident. 

When the audit plan changes it should be presented at the next Management Review Team Meeting and recorded in the minutes of the meeting.

Note: Remember to update your document version control 

Conducting the internal audits

Identify the control owners

The RASCI document is used to record who is accountable and who is responsible for the controls. Using this document, you will have recorded the people to speak to. There may be others since the document was created so now is a good time to update the RASCI if needed. 

ISO 27001 RASCI Matrix Free PDF Example 3

Decide on your audit approach

Audit is based on ‘If it is not written down it does not exist’. Your audit will look for evidence of documents, files, records. You have 3 main options in conducting an audit and you can choose one or a combination of the following:

Interview

Speaking to people and seeking answers to questions on controls. Be sure to record the date, time, location and who as well as the notes from the interview. It is best practice though not essential to send the record of the interview to the interviewee stating that if you have misunderstood or misrepresented for them to send you back the changes. 

Observation of process and activity

Like an interview you will sit with the person and observe either the systems they use or the operation of the process as they perform it. Follow the same guidelines as for interview. 

Review of documents and records

Speaking to control owners you will ask them to send you links to or copies of the documentation and records that make up the control. It can include screenshots. You are looking for the evidence of the operation of the process and control. 

Contact the Control Owners

Make contract with the person or persons that you are going to audit. Introduce yourself and explain the context of what you are going to do, what you are going to cover in the audit and what the outcome will be. Explain to them your approach to the audit based on the 3 options discussed when deciding your audit approach. Ask them for the best times and dates for holding a 1-hour meeting to conduct the audit and be flexible to their schedule. You want the person onside and comfortable.

Arrange the Audit Meeting

Your audit meeting can take from 10 minutes up to 1 hour depending on the maturity of the process and the availability of the evidence. Schedule your first meeting for 1 hour. 

Create and send an agenda that covers:

  • The time, location, and attendees 
  • The details of the control objectives you will cover.
  • The list of documents or types of documents and records you would like access to 

Send the agenda and the meeting request in good time and be prepared to reschedule based on people’s availability.

Save a copy of the agenda in the audit folder for your records.

For a face-to-face meeting ensure that the meeting takes place in location with a screen on which the person can display any relevant documents.

For a web-based meeting ensure your environment is set up for a professional level meeting and your technology is properly configured. If sharing a desktop be sure that no confidential documents are open, that notifications are disabled, that chat is disabled. 

Conduct your first meeting

Introduce yourself and explain the context of what you are doing, the agenda and what you are hoping to achieve. Explain the audit approach that you have decide to take.  Explain that this is not a test, that not knowing an answer is perfectly acceptable and that a follow up meeting can be arranged for any gaps or documents can be shared after the meeting. 

Perform the audit

Document: Audit Compliance Report. – Base Template xlsx

Maintaining one document through out the year that you add to with each consecutive audit is good practice. Within a 12-month period you will have completed all audits, with the dates of each audit recorded next to each control. Be sure to keep version control and update the version control section.

Go to the section of the document that relates to the audit you are conducting. 

For each control 

  • Read the control objective. 
  • Clarify what the control objective is hoping to achieve.
  • Gain comfort that there is an understanding what the control objective is hoping to achieve.
  • Consider verbally providing examples of the types of documents, records, processes that typically satisfy this control as a guide. 
  • Update the Date Last Assessed Column to the date the audit.
  • Update the Evaluation Method Column to the Audit Approach you are taking. 
  • Complete the positive and negative columns with comments on the findings that you are presented with and can evidence. Where you are provided documents record the name, version, and location.
  • Make your assessment and record your Rating. 
ISO27001 Audit Worksheet

After the Audit Meeting

If there are items that were not able to be covered and require follow up repeat the above process until you are satisfied you have covered all control objectives and reviewed all available evidence.

Report your audit findings

To Auditee

Either in person or digitally present your audit findings to the person (s) audited.  Seek agreement that it represents what was discussed and the reality as they see it or clarifications they would wish to make. It may be that you have misunderstood something or that further evidence is available but was not provided on the day. 

Be clear that the findings are not a reflection on any individual or their role and are not a comment on the operation in either a positive or negative way. Explain the findings are objective based on evidence provided. Where there is a request to provide additional supporting evidence consider setting a time limit.

To Management Review Team

Document: Audit Report – TEMPLATE

Complete the audit summary report for management. 

Audit reports are presented to the Management Review Team and the Management Review Team Meeting. 

Ensure that the agenda and the minutes of the Management Review Team Meeting reflect the audit that you conducted and are reporting out.

Update the Incident and Corrective Action Log

Update the Incident and Corrective Actions Log with nonconformities and the corrective actions. 

ISO27001-Incident-and-Corrective-Action-Log-Example

Update the Risk Register

Consider if a new risk is required on the risk register and to be managed as part of the risk management process

ISO 27001 Risk Register Example 2

Update the Audit Schedule

Update the audit schedule to show that the audit that was conduct. 

Update the forward schedule for future audits as required based on the outcome of this audit. If Non-Conformities were observed, consider scheduling a reaudit in 3 months time. 

Update all document version control information.

Step-by-Step Guide to ISO27001 Internal Audit

Time needed: 4 hours and 30 minutes

How to conduct an ISO27001 Internal Audit

  1. Update your audit plan for the year

    The audit plan is based on risk and also availability. This is an admin step that is required. Consider which areas are the most risky to your business and plan to audit them more than once. Be sure to plan all your audits for the year so that you have done at least one pass of all controls before your external audit happens. Add the external audit to the plan.

  2. Identify the control owners

    To be able to conduct an audit you need to know who to audit. The RASCI matrix is a great tool to record this but if you do not have one then list the control areas in a spreadsheet and record who is responsible for them.

  3. Decide on your audit approach

    We work on the principle that if it is not written down it does not exist or did not happen. Consider the approach you will take. You can review records and documents, you can interview people, you can observe people operating a process or you can do a combination.

  4. Contact the Control Owners

    Speak to the people that own the controls and take time to explain what you are going to do, why you are going to do it and what they can expect.

  5. Arrange the audit meeting

    Arrange the audit meeting at a time to suit everyone.

  6. Conduct Your First Meeting

    At your first meeting you will introduce yourself and explain what you are doing, why you are doing and what they can expect.

  7. Conduct the audit

    Using the audit work sheet it is good practice to maintain one working sheet for the entire year. Conduct the audit and record the results in the audit sheet including dates.

  8. Create your audit report

    Taking the raw data from the audit worksheet create a management report of your audit findings. Include key findings and observations. It may be appropriate to put forward recommendations for improvement if you know them or record there is a gap that needs to be addressed.

  9. Report your audit findings

    The cycle of reporting is to first send the report to the person that you audited. This allows for them to provide additional information if your results are in dispute. Once the final report is created then this is shared at the next management review meeting and the process of continual improvement starts.

  10. Update the audit plan

    Update the audit plan to show that the audit was conducted. Update any document version control.

ISO27001 Internal Audit Walkthrough

Stuart - High Table - ISO27001 Ninja - 3
ISO 27001 Toolkit Business Edition

Do It Yourself ISO27001 with the Ultimate ISO27001 Toolkit

Stop Spanking £10,000s on Consultants and ISMS Online Tools.

March Deal – Life Time Access – Save 50%