Table of contents
ISO 27001 Internal Audit
The ISO 27001 standard requires an organisation to effectively check itself. It is part of the process of continual improvement and one of the checks and balances. ISO 27001 is not a one and done. It is expected that it is in place and operating before the certification audit and after.
What is ISO 27001 Internal Audit?
ISO 27001 Clause 9.2 Internal Audit requires an organisation to conduct internal audits at planned intervals to ensure it is operating effectively. The ISO 27001 standard for ISO 27001 certification wants you to test and check that the management system and the associated annex a information security controls are in place and operating as expected and required. It is one of the ISO 27001 controls.
ISO 27001 Internal Audit Purpose
The purpose of ISO 27001 Internal Audit is to ensure that you have independently checked and verified that the information security management system (ISMS) is operating effectively and meeting its intended outcomes.
ISO 27001 Internal Audit Definition
This clause has now had the wording removed and wording shifted to two new separate sub clauses. The definition for those is as follows.
ISO 27001:2022 Clause 9.2.1 General – New clause
The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
ISO 27001:2022 Clause 9.2.1 General
a) conforms to
1) the organisationโs own requirements for its information security management system;
2) the requirements of this document;
b) is effectively implemented and maintained.
ISO 27001:2022 Clause 9.2.2 Internal Audit Programme – New clause
The organisation shall plan, establish, implement and maintain an audit programme(s), including the
ISO 27001:2022 Clause 9.2.2 Internal Audit Programme
frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.
The organisation shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management;
Documented information shall be available as evidence of the implementation of the audit programme and the audit results.
What are the ISO 27001:2022 Changes to ISO 27001 Internal Audit?
There is nothing significant that has changed to the ISO 27001 Clause 9.2 Internal Audit in the 2022 update. The change is wording and clarification change with a change to the layout of how the requirements are presented. Rather than one clause they have split out elements into 2 sub clauses for enhanced clarity.
Implementation Guide
General
There are many ways to conduct internal audits.
ISO 27001 internal audits must be done by someone who is independent.
That doesn’t mean that you have to bring in outside third party resource to it, although it can help.
Specialist resource can add incredible value in terms of the insights and the improvements as well as they will be truly impartial.
It is better to have independence at this stage, prior to your external audits.
Who ever does it they should record evidence of the audits, maintain working papers, create management reports and report out to the management review team.
This is going to be one of the biggest constraints and time sinks and burdens that’s placed upon you and you have two approaches to this. Many organisations will actually outsource this to an ISO 27001 consultant which is absolutely fine, you know it’s the right way to go. It gives you the independence that you need. You can conduct this yourself and I’m now going to walk you through and show you exactly how you can do that. The only caveat on that is that the person that conducts the audit has to be independent of the area being audited.
We reference ISO 27001 Clause 7.2 Competence that looks at competence and the competence of people to perform the role. So just be aware that if you do pick somebody internally in your organisation there may be some challenges around their competence, their experience or their training but that said what I’m going to do now is I’m going to walk you through and show you exactly how you can do this yourself.
Plan your ISO 27001 internal audit programme
Plan your internal audit programme for ISO 27001 based on the needs and availability of the business as well as based on risk. Ensure you plan your external certification audits. Everything should be audited at least once annually before an external audit.
What you need to do is complete your audit plan for the year ahead, based on risk.
If I see a waterfall audit plan as an auditor that would raise some alarm bells.
You are planning your audits based on risk:
- What is the risk of the process
- What is the risk of the control
- What is the risk to our organisation
You are also taking into account the outputs from previous audits.
Where previous audits have identified something, that would be something that you would audit more rigorously and more often.
Taking the risk register you will identify the things that are higher risk and audit them more frequently.
If you have put in a risk mitigation then you want to check that that risk mitigation is working by reviewing and auditing more often.
Your audit plan will cover the entire year, setting out over the next 12 months what it is that you are audit. This will show that this is an ongoing management system. You do not just show the audits that have been conducted but we also the audits going forward.
It is important to remember that the audit covers both the information security management system and the ISO 27001 Annex A controls. One of the things that we find, one of the things that people often miss or get wrong is that they concentrate their audits just on the ISO 27001 Annex A controls missing out the management system. We are testing the effectiveness of the management system and those ISO 27001 Annex A controls as well.
The audit plan is updated based on changes and scheduling requirements. The following are usual scenarios when the plan will require updating:
- when staff availability changes
- when your audit plan slips
- when you have a significant incident.
When the audit plan changes it should be presented to the next management review team meeting and recorded in the minutes of the meeting. Remember to update your version control.
Establish your ISO 27001 internal audit programme
Establish your ISO 27001 internal audit programme by having an audit plan and document the internal audit process. Allocate roles and responsibilities.
Implement your ISO 27001 internal audit programme
Implement the plan into your organisation ensuring that this reporting to the management review team as part of the structured, required agenda. Management Review Team meetings should happen monthly or at least quarterly to be effective.
Maintain your ISO 27001 internal audit programme
Continue to run and adapt your ISO 27001 internal audit programme following your continual improvement processes.
Conduct internal audits
Conduct your internal audits by following the detailed steps in the How to Conduct an ISO 27001 Internal Audit Guide.
Implementation Checklist
Internal Audit ISO 27001 Clause 9.2 Implementation Checklist
Plan the Audit
Decide what areas to audit and when. Make a clear audit plan.
Challenge: Hard to cover everything at once. Finding time for audits can be difficult.
Solution: Focus on key areas and risks. Schedule audits regularly, but be flexible. Combine audits where possible.
Define Audit Scope
Clearly state what each audit will cover. What parts of the ISMS will be checked?
Challenge: Scope can creep and become too broad. Hard to keep audits focused.
Solution: Keep the scope specific and manageable. Prioritise the most important areas. Get agreement on the scope before starting.
Use Qualified Auditors
Make sure auditors have the right skills and knowledge.
Challenge: Finding qualified auditors can be hard. Training auditors takes time and money.
Solution: Invest in auditor training. Use external auditors if needed. Consider internal staff with relevant skills.
Conduct the Audit
Carry out the audit according to the plan. Gather evidence and look for any problems.
Challenge: Audits can be disruptive. People may be defensive about their work.
Solution: Communicate clearly about the audit process. Be objective and fair. Focus on finding ways to improve.
Document Findings
Keep clear records of what was found during the audit. Note any nonconformities.
Challenge: Documenting everything can be time-consuming. Hard to keep records organised.
Solution: Use a simple audit report template. Store records centrally. Keep documentation clear and concise.
Report Audit Results
Share the audit findings with relevant people, including management.
Challenge: Delivering bad news can be difficult. People may not want to hear about problems.
Solution: Focus on the positive โ audits help improve security. Present findings objectively. Highlight areas for improvement.
Agree on Corrective Actions
Work with the relevant teams to agree on how to fix any problems.
Challenge: Getting agreement on actions can be hard. People may disagree about the best way forward.
Solution: Focus on finding solutions that address the root cause. Be collaborative and open to suggestions.
Follow Up on Actions
Check that the agreed actions have been taken and are effective.
Challenge: It’s easy to forget about follow-up. Actions may not be implemented properly.
Solution: Set deadlines for actions. Track progress and report on it. Verify that actions have achieved the desired results.
Improve the Audit Process
Regularly review the internal audit process. How can it be made better?
Challenge: Hard to find time for process improvement. People may resist changes to familiar routines.
Solution: Get feedback from auditors and auditees. Look for ways to streamline the process. Be open to new ideas.
Keep Audit Records
Maintain records of all internal audits, including plans, reports, and corrective actions.
Challenge: Storing records can be a problem. Hard to keep track of everything over time.
Solution: Use a central system for storing audit records. Make sure records are secure and accessible. Keep records for as long as required.
Audit Checklist
Internal Audit ISO 27001 Clause 9.2 Audit Checklist
Check Audit Plan
Is there a plan for internal audits? Does it cover all key areas?
Audit Technique: Review the audit plan. Check it covers the whole ISMS and is based on risk.
Review Audit Scope
For each audit, is the scope clearly defined? Is it too broad or too narrow?
Audit Technique: Examine the scope of past audits. Check if it was focused and achievable.
Check Auditor Qualifications
Are the auditors competent? Do they have the right skills?
Audit Technique: Review auditor training records. Interview auditors to assess their knowledge.
Examine Audit Process
Is the audit process followed correctly? Is it effective?
Audit Technique: Observe an audit being carried out. Review past audit reports for thoroughness.
Review Audit Findings
Are nonconformities identified clearly and accurately?
Audit Technique: Examine audit reports. Check if findings are specific, measurable, achievable, relevant, and time-bound (SMART).
Check Reporting of Results
Are audit results reported to the right people, including management?
Audit Technique: Review distribution lists for audit reports. Check if management review meetings discuss audit findings.
Examine Corrective Actions
Are corrective actions taken for nonconformities? Are they effective?
Audit Technique: Review records of corrective actions. Check if they address the root cause and prevent recurrence.
Verify Follow-up
Are corrective actions followed up to check they work?
Audit Technique: Check records of follow-up activities. Interview staff to confirm actions are in place and effective.
Check Improvement of Audit Process
Is the internal audit process itself reviewed and improved?
Audit Technique: Review minutes of meetings where the audit process is discussed. Check for evidence of improvements.
Review Audit Records
Are audit records kept properly? Are they complete and accessible?
Audit Technique: Examine records of audit plans, reports, corrective actions, and follow-up activities. Check they are stored securely.
Watch the Tutorial
Watch How To Implement ISO 27001 Clause 9.2 Internal Audit
ISO 27001 Audit Templates
The ISO 27001 Gap Analysis and Audit Toolkit fully meets the requirements of ISO 27001 Clause 9.2. It is available as individual download it is also part of the internationally best selling and award winning ISO 27001 Toolkit.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to comply
You demonstrate compliance to ISO 27001 clause 9.2 internal audit by having an audit plan in place that covers the audits conducted and future audits you have planned. In addition you will show evidence of the internal audits conducted.
Perform at least one internal audit of everything before you go for your certification audit and make sure your audit plan represents future audits and post certification audits.
Remember internal audit are a continual process.
What the auditor will check
The audit is going to check a number of areas for compliance with ISO 27001 Internal Audit. Lets go through them
That you have an audit plan
They are going to check that you have an audit plan and that you are following the plan. They will check that audits have been completed and that future audits are planned in.
That you do internal audits
They are going to check that you do a full internal audit of everything at least once a year. As part of this they will look to ensure that the person conducting the audit is competent to do so and that they are independent of the area being audited. They may well check audit working papers and seek evidence of interviews if you did them. In addition they want to see the audit report and that is was shared with the management team and that any actions as a result of the audit were documented and implemented, with reference he to continual improvement and to risk management that may result.
Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 clause 9.2 Internal Audit are
- You have not done internal audits
- You did audits but the person doing them was either not competent to do so and/or was not independent of the area being audited
- You have no evidence of the results being shared with management or actions being taken as a result of the audit
- A cheeky number 4 is you did not include the recommendations of the external audits formally into your corrective action log and future audit plan.
ISO 27001 Clause 9.2 FAQ
ISO 27001 Clause 9.2 requires an organisation to conduct internal audits to check that the information security management system and information security controls are operating as intended.
ISO 27001 clause 9.2 compliance is evidenced by having and audit plan, a documented audit process and evidence that internal audits were conducted across ISO 27001 and Annex A at least once before the certification audit.
You can download ISO 27001 Clause 9,2 templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 9.2 can be found in the ISO 27001 Toolkit.
You perform ISO 27001 internal audits at least once annually and based on risk.
ISO 27001 internal audits are preformed by someone independent. It can be someone external to the organisation but it doesn’t have to be.
The results of the ISO 27001 internal audits are reported the management review team as part of the structured agenda and reporting.
If an ISO 27001 internal audit identifies a non conformity, ie something that is not working as expected, then you follow the documented continual improvement process.
