ISO 27001 Internal Audit

I am going to show you what ISO 27001 Clause 9.2 Internal Audit is, what’s new, give you ISO 27001 templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

Watch

What is it?

ISO 27001 Clause 9.2 Internal Audit requires an organisation to conduct internal audits at planned intervals to ensure it is operating effectively. The ISO 27001 standard for ISO 27001 certification wants you to test and check that the management system and the associated annex a information security controls are in place and operating as expected and required. It is one of the ISO 27001 controls.

The ISO 27001 standard requires an organisation to effectively check itself. It is part of the process of continual improvement and one of the checks and balances. ISO 27001 is not a one and done. It is expected that it is in place and operating before the certification audit and after.

Purpose

The purpose of clause 9.2 is to ensure that you have independently checked and verified that the information security management system (ISMS) is operating effectively and meeting its intended outcomes.

Definition

ISO 27001:2022 Clause 9.2 Internal Audit

This clause has now had the wording removed and wording shifted to two new separate sub clauses. The definition for those is as follows.

ISO 27001:2022 Clause 9.2.1 General – New clause

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to

1) the organisation’s own requirements for its information security management system;

2) the requirements of this document;

b) is effectively implemented and maintained.

ISO 27001:2022 Clause 9.2.1 General

ISO 27001:2022 Clause 9.2.2 Internal Audit Programme – New clause

The organisation shall plan, establish, implement and maintain an audit programme(s), including the

frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.

The organisation shall:

a) define the audit criteria and scope for each audit;

b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

c) ensure that the results of the audits are reported to relevant management;

ISO 27001:2022 Clause 9.2.2 Internal Audit Programme

Documented information shall be available as evidence of the implementation of the audit programme and the audit results.

What are the ISO 27001:2022 Changes to Clause 9.2?

There is nothing significant that has changed to the ISO 27001 Clause 9.2 Internal Audit in the 2022 update. The change is wording and clarification change with a change to the layout of how the requirements are presented. Rather than one clause they have split out elements into 2 sub clauses for enhanced clarity.

ISO 27001 Internal Audit Templates

The ISO27001 Gap Analysis and Audit Toolkit fully meets the requirements of ISO 27001 Clause 9.2. It is available as individual download it is also part of the internationally best selling and award winning ISO27001 Toolkit.

ISO 27001 Gap Analysis and Audit Toolkit

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

ISO 27001 Toolkit

Implementation Guide

General

There are many ways to conduct internal audits.

ISO 27001 internal audits must be done by someone who is independent.

That doesn’t mean that you have to bring in outside third party resource to it, although it can help.

Specialist resource can add incredible value in terms of the insights and the improvements as well as they will be truly impartial.

It is better to have independence at this stage, prior to your external audits.

Who ever does it they should record evidence of the audits, maintain working papers, create management reports and report out to the management review team.

This is going to be one of the biggest constraints and time sinks and burdens that’s placed upon you and you have two approaches to this. Many organisations will actually outsource this to an ISO27001 consultant which is absolutely fine, you know it’s the right way to go. It gives you the independence that you need. You can conduct this yourself and I’m now going to walk you through and show you exactly how you can do that. The only caveat on that is that the person that conducts the audit has to be independent of the area being audited.

What we’re also going to do here is we’re going to call out to ISO27001 Clause 7.2 Competence that looks at competence and the competence of people to perform the role. So just be aware that if you do pick somebody internally in your organisation there may be some challenges around their competence, their experience or their training but that said what I’m going to do now is I’m going to walk you through and show you exactly how you can do this yourself.

Plan your ISO 27001 internal audit programme

Plan your internal audit programme for ISO 27001 based on the needs and availability of the business as well as based on risk. Ensure you plan your external certification audits. Everything should be audited at least once annually before an external audit.

ISO 27001 Audit Plan Example 2

What you need to do is, you need to complete your audit plan for the year ahead remembering that referring back to what the standard wants, that it is based on risk, so what we’re doing is, yes we can plan that, we’re going to do our internal audits and we’re going to do them in waterfall method and we’re going to do them sequentially. For me if I was an auditor auditing that that would raise some alarm bells. What we’re doing is when we plan our audits we’re planning them based on risk. What is the risk of the process. What is the risk of the control, what is the risk to our organisation and we’re also taking into account the outputs from previous audits. So, where previous audits have identified something it may be something that we want to audit more rigorously, more often. When we’re looking at things on our risk register, the things that are higher risk we want to audit them more frequently. It may be that we put in a risk mitigation and we want to check that that risk mitigation is working. So, again we’re going to plan that in and we’re going to plan that in appropriately.

We’re going to create our audit plan for the year. We’re going to set out over the next 12 months what it is that we’re going to do. We want to show that this is a an ongoing management system. We’re not going to just show the audits that we’ve conducted but we are going to plan those audits going forward.

When we look at what we’re auditing we’re auditing both the information security management system and the ISO27001 Annex A controls. One of the things that we find , one of the things that people often miss or get wrong is that they concentrate their audits just on the ISO27001 Annex A controls missing out the management system but we are testing and we are looking at the effectiveness of the management system and those ISO27001 Annex A controls as well. So, you can see within the audit how to conduct an audit plan it lays all that out for you. It talks to you about how you update the plan.

So, the audit plan is updated based on changes and scheduling requirements. The following are usual scenarios when the plan will require updating

  • when staff availability changes
  • when your audit plan slips
  • when you have a significant incident.

When the audit plan changes it should be presented to the next management review team meeting and recorded in the minutes of the meeting. Remember to update your version control.

Establish your ISO 27001 internal audit programme

Establish your ISO 27001 internal audit programme by having an audit plan and document the internal audit process. Allocate roles and responsibilities.

Implement your ISO 27001 internal audit programme

Implement the plan into your organisation ensuring that this reporting to the management review team as part of the structured, required agenda. Management Review Team meetings should happen monthly or at least quarterly to be effective.

Maintain your ISO 27001 internal audit programme

Continue to run and adapt your ISO 27001 internal audit programme following your continual improvement processes.

Conduct internal audits

Conduct your internal audits by following the detailed steps in the How to Conduct an ISO 27001 Internal Audit Guide.

How to do an ISO27001 Internal Audit

How to comply?

You demonstrate compliance to ISO 27001 clause 9.2 internal audit by having an audit plan in place that covers the audits conducted and future audits you have planned. In addition you will show evidence of the internal audits conducted.

Perform at least one internal audit of everything before you go for your certification audit and make sure your audit plan represents future audits and post certification audits.

Remember internal audit are a continual process.

What will the audit check?

The audit is going to check a number of areas for compliance with Clause 9.2. Lets go through them

1. That you have an audit plan

They are going to check that you have an audit plan and that you are following the plan. They will check that audits have been completed and that future audits are planned in.

2. That you do internal audits

They are going to check that you do a full internal audit of everything at least once a year. As part of this they will look to ensure that the person conducting the audit is competent to do so and that they are independent of the area being audited. They may well check audit working papers and seek evidence of interviews if you did them. In addition they want to see the audit report and that is was shared with the management team and that any actions as a result of the audit were documented and implemented, with reference he to continual improvement and to risk management that may result.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO27001 clause 4.1 are

  1. You have not done internal audits
  2. You did audits but the person doing them was either not competent to do so and/or was not independent of the area being audited
  3. You have no evidence of the results being shared with management or actions being taken as a result of the audit
  4. A cheeky number 4 is you did not include the recommendations of the external audits formally into your corrective action log and future audit plan.

ISO 27001 Clause 9.2 FAQ

What is ISO 27001 Clause 9.2 Internal Audit?

ISO 27001 Clause 9.2 requires an organisation to conduct internal audits to check that the information security management system and information security controls are operating as intended.

How do I evidence I meet the requirement of ISO 27001 Clause 9.2?

ISO 27001 clause 9.2 compliance is evidenced by having and audit plan, a documented audit process and evidence that internal audits were conducted across ISO 27001 and Annex A at least once before the certification audit.

Where can I download ISO 27001 Clause 9.2 templates?

You can download ISO 27001 Clause 9,2 templates in the ISO 27001 Toolkit.

ISO 27001 Clause 9.2 example?

An example of ISO 27001 Clause 9.2 can be found in the ISO 27001 Toolkit.

How often do you perform ISO 27001 internal audits?

You perform ISO 27001 internal audits at least once annually and based on risk.

Who performs ISO 27001 internal audits?

ISO 27001 internal audits are preformed by someone independent. It can be someone external to the organisation but it doesn’t have to be.

Who are ISO 27001 internal audits reported to?

The results of the ISO 27001 internal audits are reported the management review team as part of the structured agenda and reporting.

What happens if the ISO 27001 internal audits identifies non conformities?

If an ISO 27001 internal audit identifies a non conformity, ie something that is not working as expected, then you follow the documented continual improvement process.