An internal audit is a planned and documented process conducted by an organisation to evaluate its own Information Security Management System (ISMS). Its purpose is to verify if the ISMS conforms to the requirements of the ISO 27001 standard and the organisation’s own security policies. The audit is performed by competent personnel, either from within the organisation or an external consultant, who are independent of the activities being audited.
Key Characteristics
- Mandatory: ISO 27001 Clause 9.2 Internal Audit requires organisations to conduct internal audits at planned intervals.
- Objective: It provides management with an objective assessment of the ISMS’s performance and effectiveness.
- Continual Improvement: The findings from an internal audit are used to identify nonconformities and opportunities for improvement, which feeds directly into the Plan-Do-Check-Act (PDCA) cycle.
Example
A company’s internal audit team reviews the Access Control logs for the past three months to ensure that all failed login attempts are being logged and investigated as required by their ISMS policy.
ISO 27001 Context
The internal audit is a crucial “Check” activity in the PDCA cycle, allowing an organisation to proactively find and fix issues before a third-party certification audit.
