Internal audits of the management system are a mandatory requirement of ISO 27001 and all other mainstream ISO standards. The requirements are very minimal, however when examined objectively and the detail of them is very un-prescriptive. This means that there is considerable scope for streamlining the audit processes and gaining real business benefits from your internal audits. Sadly, sometimes historically, the audits are seen as a non-value adding pain; however – we’ll explain why this can happen and how to avoid it with the help of our internal audit checklist.
Common mistake: Not embracing the internal audits as a business improvement tool
Occasionally taking an objective view at your processes and systems can release lots of untapped value.
What is an ISO 27001 internal audit?
“Audit” is a word that nobody likes to hear – it historically and generally has negative and onerous connotations. These are primarily outdated; however – enlightened organisations see audits as an improvement tool for their management systems and process. In the case of an ISO 27001 Information Security Management System (ISMS), these audits are focused on information security related arrangements.
Common mistake: Performing a certification audit in an officious and over-formal manner
The ‘tone’ of the internal audit report can (and we think must) be driven by the auditor to be friendly and collaborative. As long as the relevant findings emerge at the end of the audit process, then that is a successful outcome.
The ISMS consists of the necessary processes, procedures, protocols, and people to protect its information and information systems against the ISO 27001 standard framework. An ISO 27001 internal audit is the process of determining if your ISMS is working as designed and looking for improvements (as per clause 10.2 – catchily titled “continual improvement”). Practically, an internal ISO 27001 audit helps organisations ensure they adhere to their self-prescribed requirements (also defined in the ISMS) and the standard requirements.
Common mistake: Defining in your ISMS that something happens – when it doesn’t happen in reality
It’s unforgivable as you define your management system to suit your business. You have therefore engineered an audit trap into your management system. Within clause 9.2, the management requirements of ISO 27001 state that the organisation must conduct internal audits at “planned intervals” – however you choose to define these intervals.
Common mistake: Not defining appropriate “planned intervals” in the audit program
This definition is designed to give flexibility in determining your program, but it is often the case that the appropriate ‘sweet-spot is not found, leading to under, or over auditing.
Why are internal audits important?
Audits assure the performance of an ISMS against the objectives set for it. Without this assurance, there is no genuine guarantee of how well it will deliver in protecting your company’s information. Internal audits are essential because they help organisations identify and correct weaknesses in their information security management system. The audit criteria/outcomes are then used in several ways:
- To appraise leadership/management of the performance of the ISMS
- To improve the ISMS
- To look for synergies in terms of potential issues and corrections
- To repair parts of the systems and processes that are not operating to design
Common mistake: Not alerting management quickly enough when action is needed
Senior management may not directly implement changes to your ISMS proceeding a review. Still, they need to be involved, aware of issues, drive remedies and improvements.
What Does the ISO Standard say we have to do?
Clause 9.2 of ISO 27001 demands only a few things of your internal audits
- That they are “planned” – i.e., a program of audits is defined and documented
- The program of audits is dynamic and appropriate to your organisation
- Audit results are documented
- Management is appropriately appraised of the audit outcomes
The process, therefore, shouldn’t be too demanding, and the general approach requires the application of common sense. For example, parts of your business that have had poor audit outcomes in the past will probably be audited more in-depth, maybe more frequently and possibly by your most senior auditor in future. Conversely, those areas that have flown through previous audits could have the audit depth, frequency, or both, appropriately reduced in the forward program.
Most organisations produce an audit program for the business for the forthcoming year, sometimes longer, say for the three-year lifecycle of their certification.
Common mistake: Not adhering to the audit program
Falling behind on your internal audits is one of the easiest ways of putting your ISMS certification at risk. If this is happening, address it as quickly as possible is always the best advice.
Common mistake: Under or Over Auditing parts of your Management System
The frequency needs to be given some thought, and a balance struck. The ISO standard requires consideration of “the importance of processes”, which means some parts of your ISMS will be audited more than others, as appropriate.
Common mistake: Disrupting normal business operations with an inappropriate audit program
If your business has busy periods, then it would be silly to schedule too much auditing at this time. Similarly, many organisations wind down operations at, say, easter or Christmas, and this may, or may not, be a good time to do some internal audits. You decide.
What does the ISO standard NOT say we have to do?
It is fascinating to note what ISO clause 9.2 does NOT say is required. Be very clear, if it is not an absolute requirement in the ISO standard (look for the word “shall”), then you can, with appropriate consideration, define your arrangements in your ISMS to suit your organisation. As an example, there is no requirement for unplanned or random internal audits in the ISO standard. You could, if you choose to, do some of these.
Another example is the depth and duration of your internal audit. You could, in theory, perform an audit of a process in a matter of minutes, or it could drag out for hours. Either way, as it is not a requirement of the standard, you have choices. We would advise breaking lengthy audits into smaller parts (say of an hour) to give both the auditor and auditee some thinking time and a chance to refresh.
Don’t forget – most internal auditors are fuelled by tea, coffee, water and very often, biscuits and cakes…
Common mistake: Trying to ‘buy’ or overly influence your internal auditor
Auditors must stay impartial and objective – no amount of cakes and kindness will affect the objectivity of the audit outcome.
Common mistake: Not investing enough (or appropriate) time and resources
Trying to do the minimum amount of auditing or doing cursory audits will not release any value and demonstrate any commitment to the ISMS (which is a requirement of ISO 27001).
Common mistake: The auditor overstays their welcome
If an internal audit is planned for, say, one hour, it should not take any more than that hour. An over-run may severely disrupt other planned business activities with all the negatives that this scenario will bring. The solution is to document the unfinished pieces to be addressed in future in the audit report.
Who conducts an ISO 27001 internal audit?
ISO 27001 audits require competent (as per clause 7.2) and objective auditors, who have demonstrated knowledge of the standard and experience conducting an ISO 27001 audit. Often, internal auditors will already work in your organisation and will therefore know how your business works.
Looking at this objectively, this could be a strength or a weakness, depending on the situation. An internal auditor can demonstrate competence by attending an ISO 27001 lead auditor course or practical experience demonstrating their knowledge of the standard and successfully delivering audits.
Common mistake: Performing internal audits using incompetent auditors
You cannot just use anybody. You wouldn’t use the receptionist to control your nuclear reactor. The same principle applies to your internal audits.
With the high costs of training courses in mind, it may be preferable for an auditor to demonstrate their level of competency through hands-on experience of implementing an ISMS. ISMS.online can help boost your confidence and competence in auditing your ISMS against ISO 27001 through several valuable features such as our Virtual Coach. This feature is an “always-on” set of videos, checklists, and guides, focusing on the auditor’s perspectives for many clauses and controls.
It may be more practical for smaller organisations with limited capacity or companies seeking greater objectivity to use an external (third-party) auditor to perform internal audits. Note that this is perfectly acceptable in terms of ISO requirements. The auditor could be a consultant, or ISMS.online can help; this approach gives independence and can provide more objectivity and the benefits of more wide-reaching experience in other similar organisations.
Common mistake: Auditing your own work
Do not ever do this as impartiality and independence are heavily impaired.
What are auditors looking for?
The objective of an ISO auditor is to understand the goal of your information security management system and obtain evidence to support its compliance with ISO 27001 standard. Contrary to popular belief, auditors look for (and should report) positive outcomes and negative ones.
ISO 27001 auditors also look for any gaps or deficiencies in your information security system. Essentially, your auditor will seek evidence of the ISO 27001 standard requirements throughout your business. You can demonstrate this by proactively enacting policies and controls which mitigate the risks facing your company’s information. Lastly, any potential improvements to the ISMS collaboratively agreed between the auditor and auditee will form part of the audit report.
Common mistake: Keeping the audit running until non-conformances are found
A balanced audit will report what is found. If no non-conformances are evident, then this is NOT an indication of a poor audit. Objective (that is, the majority of) auditors do not get a warm fuzzy feeling when they can pin a non-conformance against your ISMS…
Common mistake: Not reporting compliance
Is equally important for organisations to be aware of as non-compliances and potential improvements. Why go to the time and trouble to plan and perform the audit but not report a positive outcome?
Internal audits are not subjective
As an auditor, you may wish to overly suggest implementations on your organisation’s ISMS or general areas for improvement known as opportunities for improvement (OFI). However, it is essential to remember that while there is room for interpretation within the standard, actions outside the standard requirement are not compulsory. This means your organisation’s unique situation may deem certain suggestions redundant from an auditor’s perspective, especially if it’s outside the ISO 27001 requirements.
Common mistake: You do not “Pass” or “Fail” an audit
Audit reports are statements of fact and should be viewed impassively and not emotionally. Any resultant changes required to your ISMS should be determined and implemented (and, if needed, re-audited). Evidence plays an essential role in achieving ISO 27001 certification; clause 10.1 explicitly requires organisations to retain evidence regarding non-conformities and actions taken as a result. As an auditor, this means your findings for non-conformities should be based on evidence that will clearly outline the areas in need of improvement or systematic correction.
Common mistake: Not using facts to determine audit outcomes
auditors’ opinions and beliefs can negatively skew the audit outcome. Objective and impartial audit outcomes are only determined by factual evidence and experience.
Why choose ISMS.online to help you?
To become ISO 27001 compliant or certified for the first time, our ISMS.online Assured Results Method (ARM) offers simple, time-efficient, and practical application. ARM will assist you in determining which assets, systems, people, locations, etc., align within the scope of your Information Management Security System. As a result, ARM will allow you to think about the risks they face.
The Adopt Adapt Add (AAA) philosophy for clause 9.2 provides a tried and tested process to follow for internal audits. Using our pre-configured ISMS, you can quickly and easily evidence the requirements of clause 9.2. You will also receive an audit program for conducting internal audits. You can use our audit project to set the objectives and scope for each audit, then record the findings and address any non-conformances found during the audit in the platform’s Improvement Track.
Clause 10.1 covers the non-conformity & corrective action requirement for ISO IEC 27001. You will need to provide evidence to the auditor on how your organisation identifies, reacts to, evaluates, reviews and documents non-conformities. Using our ISMS.online platform, you can use the Adopt Adapt Add philosophy with our pre-suggested policy for clause 10.1. The ISMS.online platform provides a practical Corrective Actions & Improvement Track to demonstrate how your organisation manages corrective actions and improvements easily. You can also link corrective actions & improvements to other areas within the platform, such as policies, while assigning to-dos to colleagues and adding due dates.
Our ISMS.online platform also provides a framework that allows organisations intending to follow a three-year audit programme for all controls for their certification period to do so.
Evidencing is made simple with our ISMS.online platform; you can record data, policies, controls, procedures, risk assessments, risks identified, actions, projects, related documentation, and reports within the platform, creating an easy assessment for auditors.
Extra help available from Service Development and Delivery (SDD) team
Employees responsible for implementing your information security system may have difficulties and queries around the standard; this is where our support teams can guide you through the process. Within our organisation, the Service Development and Delivery Team has vast experience and expertise in information security. They can support the initial implementation of your information security management system and guidance on any significant standard difficulties.