All audits involve at least one auditor (sometimes more than one, with the person in charge commonly known as the lead auditor) and at least one auditee. The auditees’ role is to collaborate with the audit team to:
- Navigate through the different ISMS documents and systems
- Discuss and agree on the effectiveness of the parts of the ISMS being audited
- Provide evidence where needed of the ISMS operations (typically records)
- Explain the background thinking and business context to the audit
The focus of this piece is to look at preparation for internal audits from the auditee’s perspective
What is an ISO 27001 internal audit
Internal audits of ISO 27001 assist organisations in ensuring that their requirements and those required by the standard are being met. The ISO 27001 internal audit is firstly the process of determining if a company has the necessary procedures, processes, protocols, and people to protect its information and its information management systems against the ISO 27001 standard. Secondly, the audit will test, by inspection of documents and records and with the assistance of the auditee, whether the various ISMS components are performing as designed and following the requirements (look for the word “shall”) of the ISO standard.
What do we need ISO 27001 internal audits?
Several drivers make conducting internal audits compulsory. Clause 9.2 of ISO 27001 mandates that audits are done at “planned intervals”. Most companies are driven to release real value from their ISMS, and top management leads this strategic intent. Internal audits are therefore seen and used as a critical business improvement tool.
Conducting an internal audit ensures that a company’s procedures are being carried out according to plan. Positive and negative feedback from a project’s internal audit is invaluable to improving your organizations’ information management processes.
The difference between external and internal ISO 27001 audits
The external audit process is essentially the same as the internal audit processes, but what they ultimately have in common is the goal is to achieve and maintain ISO 27001 certification. Typically, certified bodies perform external audits using professional auditors. While the audit processes are essentially the same, external audits tend to be more formal and structured than internal audits.
For reference, here is a quick summary of different audit types
This is when another organisation audits your organisation – the obvious example being your ISMS being audited by your chosen certification body – commonly known as an ‘external audit’.
This can be inward to your organisation (a customer audits you) or outward from your organisation (for example, you audit a prospective or current supplier).
First-party audits are when an organisation audits itself – that is, an internal audit.
Defining the audit
To gain the maximum value from your audit, you must predefine the audit parameters. This includes the Scope, Criteria, and objective of the audit. The audit objective is the purpose or aim of the audit. The Audit Scope identifies which activities and records are subject to audit. The Audit Criteria consist of policies, procedures, and requirements that the audit is examined against, in this case, the ISO 27001:2013 standard.
The importance of ISO 27001 audit preparation
If there is one commodity that we all would like more of, it’s time. As Benjamin Franklin once said: ‘Failing to prepare, is preparing to fail.’ I am sure he wasn’t referencing ISO 27001 audits at the time, but the relevancy still exists. An audit of your entire information security management system, including its technologies, processes, and procedures, and people, will almost certainly prove to be challenging.
The more extensive and more complex the organisation, the more likely audit findings will delay certification. However, there are steps you can take in advance to make your audit more efficient and less of an ordeal. Ensure that you gather all the necessary documents in advance of the audit to demonstrate your compliance efforts. Additionally, make sure you understand the requirements of the relevant standard areas that are subject to audit. Finally, ensure you are up to date with all the continuous work areas such as corrective actions, management reviews and the audit program; these are highly likely to be checked as part of the internal audit.
How to practically prepare for the internal audit
Both the auditor and the organisation must be adequately prepared for the audit. It is easy to forget while stressing about your documentation that there are many practical things that you may need to be ready for. Before the audit (say two weeks before), it is usually a good idea to ensure that all relevant policies/procedures/systems/records/controls are as up to date as possible with suitable approval audit trails in place. If you consider it appropriate, you may re-read your relevant policies, process, and procedures to re-familiarise yourself with and maybe review ahead of the audit if you see fit. After reading this document, it won’t surprise you that you may need to produce documentation in the audit. As a result, it is probably a good idea to ensure that you have the documentation readily available before the audit, or at least you should know how to access it. Scurrying around looking for things last minute will only waste your time and the auditors; access and clearance should be sorted out in advance. You should ensure all the necessary security permissions, such as access to the server room or a key card to the warehouse. Similarly, you may need to make special arrangements beforehand, like turning off an alarm or temporarily halting production.
Furthermore, you may need PPE for the auditor in case of exposure to a dangerous environment, such as a safety helmet or even overalls. This is especially important as failure to arrange this is likely to result in the auditor not fulfilling their duties. Likewise, there may be a specific department or person that will be audited, such as Human Resources. You must make sure that specialised personnel are aware of the audit and are available for the auditor to speak to. Ensure you give your colleagues/employees plenty of notice. The audit plan will help you work out these arrangements.
Finally, there may be some logistical preparations that you need to make—for example, arranging a suitable workspace for the auditor. This could be used to work on the audit findings and the write-up. Similarly, the auditor may need an internet connection to conduct some aspects of the audit. Therefore, you must instruct them to bring a hotspot with them if your policy doesn’t allow for guests to join the network. On the other hand, having a guest Wi-Fi and password on hand will help make things more straightforward for the auditor.
No preparation is the best preparation
It may come as a surprise to you, but the ideal ISMS would not need to prepare for an audit. A successful ISMS is up to date with the continual standard requirements such as management reviews, audits, corrective actions etc. Keeping up to date with these work areas will only serve as an aid to your business practices because of the continual improvements of your ISMS. Before your audit, some housekeeping might be in order. However, a system that reminds you of the to-dos, upcoming tasks, policy reviews and other continual tasks will give you the best chance of avoiding ISO-panic. This is where we come in. We provide a complete platform for you to manage as well as build your ISMS. Thanks to our solutions, your organisation, customers, and other stakeholders can have compliance confidence and certification certainty. From information security novices to seasoned veterans, we are used to working with customers of all backgrounds. As your organisation grows and changes, new infosec threats are continuously emerging. We designed our platform to help you adapt it to all of that and more as the world keeps evolving.
Previous audits findings and corrective actions – Will they be audited?
The goal is to audit the ISMS internally against ISO 27001 that won’t raise any new non-conformities. Therefore, you must be going into the audit with the confidence of conformity. Consequently, a review of documentation is essential. We need to check that all the policies are submitted and approved by my management. Otherwise, a conformity for Cl.5.2 could be jeopardised.
Additionally, it would help if you looked at the corrective actions in the ISMS; this data can be used to prepare for your upcoming internal audit. The information provided by the CA (corrective actions) will show you previously identified areas that need improvement. Sometimes the corrective actions can be from a management review or a response to a security incident. However, we are going to focus on Corrective Actions that stem from an audit. These CAs are essential to review as they are almost certainly going to be checked in your audit. The following audit must address the improvement opportunities and any nonconformance’s that surfaced from your previous audit. This is to demonstrate your ongoing dedication to continual ISMS improvement. The term ‘addressed’ is vague, so we are on hand to clear things up. To gain compliance in this area, you must demonstrate to the auditor that you have acted upon the recommended changes. The way this is done is using our corrective actions tracker and the linked work feature to show the changes you have made in response to the finding. If you haven’t acted upon the training, don’t panic, compliance is still possible. There must be evidence that the finding is being thought about and is being acted upon. Generally, simply documenting the finding in the CA tracker and setting a due date/assignee will suffice; it shows that your company is considering the suggestion and is in the process of deciding the next course of action. Additionally, all overdue CA’s must be addressed before any audit to demonstrate the commitment to continual improvement of the ISMS.