Table of contents
- What is ISO 27001 Clause 9.2?
- ISO 27001 Clause 9.2 Internal Audit Defined
- How to conduct an ISO 27001 internal audit
- How to comply with ISO 27001 Clause 9.2
- ISO 27001 Clause 9.2 Implementation Guide
- How do you demonstrate compliance to ISO 27001 clause 9.2?
- ISO 27001 Clause 9.2 Templates
- ISO 27001 Clause 9.2 FAQ
- ISO 27001 Certification Requirements
- See Also
What is ISO 27001 Clause 9.2?
ISO 27001 Clause 9.2 Internal Audit requires an organisation to conduct internal audits at planned intervals to ensure it is operating effectively. The ISO 27001 standard for ISO 27001 certification wants you to test and check that the management system and the associated annex a information security controls are in place and operating as expected and required. It is one of the ISO 27001 controls.
The ISO 27001 standard requires an organisation to effectively check itself. It is part of the process of continual improvement and one of the checks and balances. ISO 27001 is not a one and done. It is expected that it is in place and operating before the certification audit and after.
ISO 27001 Clause 9.2 Internal Audit Defined
The ISO 27001 standard defines ISO 27001 Clause 9.2 Internal Audit as:
The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms toISO 27001 Clause 9.2 Internal Audit
1) the organisation’s own requirements for its information security management system; and
2) the requirements of this International Standard;
b) is effectively implemented and maintained. The organisation shall:
c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f ) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit programme(s) and the audit results.
How to conduct an ISO 27001 internal audit
We have provide a detailed guide on How to Conduct an ISO 27001 Internal Audit
How to comply with ISO 27001 Clause 9.2
How to comply with ISO 27001 Clause 9.2 Internal Audit
- Plan your ISO 27001 internal audit programme
Plan your internal audit programme for ISO 27001 based on the needs and availability of the business as well as based on risk. Ensure you plan your external certification audits. Everything should be audited at least once annually before an external audit.
- Establish your ISO 27001 internal audit programme
Establish your ISO 27001 internal audit programme by having an audit plan and document the internal audit process. Allocate roles and responsibilities.
- Implement your ISO 27001 internal audit programme
Implement the plan into your organisation ensuring that this reporting to the management review team as part of the structured, required agenda. Management Review Team meetings should happen monthly or at least quarterly to be effective.
- Maintain your ISO 27001 internal audit programme
Continue to run and adapt your ISO 27001 internal audit programme following your continual improvement processes.
- Conduct internal audits
Conduct your internal audits by following the detailed steps in the How to Conduct an ISO 27001 Internal Audit Guide.
ISO 27001 Clause 9.2 Implementation Guide
There are many ways to conduct internal audits.
ISO 27001 internal audits must be done by someone who is independent.
That doesn’t mean that you have to bring in outside third party resource to it, although it can help.
Specialist resource can add incredible value in terms of the insights and the improvements as well as they will be truly impartial.
It is better to have independence at this stage, prior to your external audits.
Who ever does it they should record evidence of the audits, maintain working papers, create management reports and report out to the management review team.
How do you demonstrate compliance to ISO 27001 clause 9.2?
You demonstrate compliance to ISO 27001 clause 9.2 internal audit by having an audit plan in place that covers the audits conducted and future audits you have planned. In addition you will show evidence of the internal audits conducted.
Perform at least one internal audit of everything before you go for your certification audit and make sure your audit plan represents future audits and post certification audits.
Remember internal audit are continual process.
ISO 27001 Clause 9.2 Templates
ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 9.2
ISO 27001 Clause 9.2 FAQ
ISO 27001 Clause 9.2 requires an organisation to conduct internal audits to check that the information security management system and information security controls are operating as intended.
ISO 27001 clause 9.2 compliance is evidenced by having and audit plan, a documented audit process and evidence that internal audits were conducted across ISO 27001 and Annex A at least once before the certification audit.
You can download ISO 27001 Clause 9,2 templates here: https://hightable.io/product/iso-27001-templates-toolkit/
An example of ISO 27001 Clause 9.2 can be found here: https://hightable.io/product/iso-27001-templates-toolkit/
You perform ISO 27001 internal audits at least once annually and based on risk.
ISO 27001 internal audits are preformed by someone independent. It can be someone external to the organisation but it doesn’t have to be.
The results of the ISO 27001 internal audits are reported the management review team as part of the structured agenda and reporting.
If an ISO 27001 internal audit identifies a non conformity, ie something that is not working as expected, then you follow the documented continual improvement process.
ISO 27001 Certification Requirements
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)
- The Ultimate Reference Guide to ISO 27001 Controls