The ISO 27001 standard requires an organisation to effectively check itself. It is part of the process of continual improvement and one of the checks and balances. ISO 27001 is not a one and done. It is expected that it is in place and operating before the certification audit and after.
In this ultimate guide to ISO 27001:2022 Clause 9.2 Internal Audit you will learn
- What ISO 27001 Clause 9.2 is
- How to implement it
- How to do an internal audit
Table of contents
What is ISO 27001 Clause 9.2?
ISO 27001 Clause 9.2 Internal Audit requires an organisation to conduct internal audits at planned intervals to ensure it is operating effectively. The ISO 27001 standard for ISO 27001 certification wants you to test and check that the management system and the associated annex a information security controls are in place and operating as expected and required. It is one of the ISO 27001 controls.
Purpose
The purpose of clause 9.2 is to ensure that you have independently checked and verified that the information security management system (ISMS) is operating effectively and meeting its intended outcomes.
Definition
This clause has now had the wording removed and wording shifted to two new separate sub clauses. The definition for those is as follows.
ISO 27001:2022 Clause 9.2.1 General – New clause
The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
ISO 27001:2022 Clause 9.2.1 General
a) conforms to
1) the organisation’s own requirements for its information security management system;
2) the requirements of this document;
b) is effectively implemented and maintained.
ISO 27001:2022 Clause 9.2.2 Internal Audit Programme – New clause
The organisation shall plan, establish, implement and maintain an audit programme(s), including the
ISO 27001:2022 Clause 9.2.2 Internal Audit Programme
frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.
The organisation shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management;
Documented information shall be available as evidence of the implementation of the audit programme and the audit results.
What are the ISO 27001:2022 Changes to Clause 9.2?
There is nothing significant that has changed to the ISO 27001 Clause 9.2 Internal Audit in the 2022 update. The change is wording and clarification change with a change to the layout of how the requirements are presented. Rather than one clause they have split out elements into 2 sub clauses for enhanced clarity.
Implementation Guide
General
There are many ways to conduct internal audits.
ISO 27001 internal audits must be done by someone who is independent.
That doesn’t mean that you have to bring in outside third party resource to it, although it can help.
Specialist resource can add incredible value in terms of the insights and the improvements as well as they will be truly impartial.
It is better to have independence at this stage, prior to your external audits.
Who ever does it they should record evidence of the audits, maintain working papers, create management reports and report out to the management review team.
This is going to be one of the biggest constraints and time sinks and burdens that’s placed upon you and you have two approaches to this. Many organisations will actually outsource this to an ISO 27001 consultant which is absolutely fine, you know it’s the right way to go. It gives you the independence that you need. You can conduct this yourself and I’m now going to walk you through and show you exactly how you can do that. The only caveat on that is that the person that conducts the audit has to be independent of the area being audited.
We reference ISO 27001 Clause 7.2 Competence that looks at competence and the competence of people to perform the role. So just be aware that if you do pick somebody internally in your organisation there may be some challenges around their competence, their experience or their training but that said what I’m going to do now is I’m going to walk you through and show you exactly how you can do this yourself.
Plan your ISO 27001 internal audit programme
Plan your internal audit programme for ISO 27001 based on the needs and availability of the business as well as based on risk. Ensure you plan your external certification audits. Everything should be audited at least once annually before an external audit.
What you need to do is complete your audit plan for the year ahead, based on risk.
If I see a waterfall audit plan as an auditor that would raise some alarm bells.
You are planning your audits based on risk:
- What is the risk of the process
- What is the risk of the control
- What is the risk to our organisation
You are also taking into account the outputs from previous audits.
Where previous audits have identified something, that would be something that you would audit more rigorously and more often.
Taking the risk register you will identify the things that are higher risk and audit them more frequently.
If you have put in a risk mitigation then you want to check that that risk mitigation is working by reviewing and auditing more often.
Your audit plan will cover the entire year, setting out over the next 12 months what it is that you are audit. This will show that this is an ongoing management system. You do not just show the audits that have been conducted but we also the audits going forward.
It is important to remember that the audit covers both the information security management system and the ISO 27001 Annex A controls. One of the things that we find, one of the things that people often miss or get wrong is that they concentrate their audits just on the ISO 27001 Annex A controls missing out the management system. We are testing the effectiveness of the management system and those ISO 27001 Annex A controls as well.
The audit plan is updated based on changes and scheduling requirements. The following are usual scenarios when the plan will require updating:
- when staff availability changes
- when your audit plan slips
- when you have a significant incident.
When the audit plan changes it should be presented to the next management review team meeting and recorded in the minutes of the meeting. Remember to update your version control.
Establish your ISO 27001 internal audit programme
Establish your ISO 27001 internal audit programme by having an audit plan and document the internal audit process. Allocate roles and responsibilities.
Implement your ISO 27001 internal audit programme
Implement the plan into your organisation ensuring that this reporting to the management review team as part of the structured, required agenda. Management Review Team meetings should happen monthly or at least quarterly to be effective.
Maintain your ISO 27001 internal audit programme
Continue to run and adapt your ISO 27001 internal audit programme following your continual improvement processes.
Conduct internal audits
Conduct your internal audits by following the detailed steps in the How to Conduct an ISO 27001 Internal Audit Guide.
ISO 27001 Audit Templates
The ISO 27001 Gap Analysis and Audit Toolkit fully meets the requirements of ISO 27001 Clause 9.2. It is available as individual download it is also part of the internationally best selling and award winning ISO 27001 Toolkit.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Watch the Tutorial
Watch How To Implement ISO 27001 Clause 9.2 Internal Audit
How to comply
You demonstrate compliance to ISO 27001 clause 9.2 internal audit by having an audit plan in place that covers the audits conducted and future audits you have planned. In addition you will show evidence of the internal audits conducted.
Perform at least one internal audit of everything before you go for your certification audit and make sure your audit plan represents future audits and post certification audits.
Remember internal audit are a continual process.
What the auditor will check
The audit is going to check a number of areas for compliance with Clause 9.2. Lets go through them
1. That you have an audit plan
They are going to check that you have an audit plan and that you are following the plan. They will check that audits have been completed and that future audits are planned in.
2. That you do internal audits
They are going to check that you do a full internal audit of everything at least once a year. As part of this they will look to ensure that the person conducting the audit is competent to do so and that they are independent of the area being audited. They may well check audit working papers and seek evidence of interviews if you did them. In addition they want to see the audit report and that is was shared with the management team and that any actions as a result of the audit were documented and implemented, with reference he to continual improvement and to risk management that may result.
Top 3 Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 clause 9.2 are
- You have not done internal audits
- You did audits but the person doing them was either not competent to do so and/or was not independent of the area being audited
- You have no evidence of the results being shared with management or actions being taken as a result of the audit
- A cheeky number 4 is you did not include the recommendations of the external audits formally into your corrective action log and future audit plan.
FAQ
ISO 27001 Clause 9.2 requires an organisation to conduct internal audits to check that the information security management system and information security controls are operating as intended.
ISO 27001 clause 9.2 compliance is evidenced by having and audit plan, a documented audit process and evidence that internal audits were conducted across ISO 27001 and Annex A at least once before the certification audit.
You can download ISO 27001 Clause 9,2 templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 9.2 can be found in the ISO 27001 Toolkit.
You perform ISO 27001 internal audits at least once annually and based on risk.
ISO 27001 internal audits are preformed by someone independent. It can be someone external to the organisation but it doesn’t have to be.
The results of the ISO 27001 internal audits are reported the management review team as part of the structured agenda and reporting.
If an ISO 27001 internal audit identifies a non conformity, ie something that is not working as expected, then you follow the documented continual improvement process.