This page has been made to explain the different types of ISO 27001 internal audits. To begin with, we will lay the foundation by briefly explaining the requirements in the ISO 27001 standard itself, and then we’ll talk about an ISMS, why it needs auditing and its objectives. If you are familiar with these titles, please scroll to the second half, which talks specifically about internal audits and methodology.
What is ISO 27001?
ISO 27001 is a standard created by the International Organisation for Standardisation. It is used as a framework for an organisation’s Information Security Management System (ISMS). The standard is in two simple sections, the clauses (requirements, and therefore not optional) and annex A controls (optionally used to mitigate identified information security risks).
The information security management system (ISMS) must be designed, maintained, and continuously improved according to ISO 27001. It helps demonstrate best practices in information security, including parts of the EU General Data Protection Regulations, by helping to establish strong data security principles and resultant processes, systems, and infrastructure throughout all aspects of your business.
What is an Information Security Management System (ISMS)?
An Information Security Management System describes and demonstrates your company or organisation’s approach to protecting data and maintaining privacy. It lays out the policies, procedures, systems, and other components used to enforce information security throughout an organisation. An ISMS also considers interested parties (such as suppliers), the scope of your organisation (where and what your ISMS applies to) and internal and external issues. For the latter, you may determine these issues to introduce risks or opportunities to your organisation, which you will then act upon within your ISMS.
Why do you need an ISMS?
An Information Security Management System assists in identifying and mitigating risks linked to your most valuable information and associated assets. Ultimately, having a functioning ISMS can allow for an organization to minimize the disruption caused by security threats and allow for continual improvement. In addition to this internally focused value, a successful ISMS often has tangible commercial value.
Why audit your ISMS?
An audit of your ISMS allows for the management system to be reviewed by an objective and competent auditor. It will test the elements of the ISMS based on standard requirements. It will also allow more insight into the organisation’s current level of reaching its needs and corporate objectives. The efficiency and practicality of the written policies and procedures are also measured. Lastly, an audit of your ISMS can also note the positive findings to ensure they are adequately maintained and provide development for continual improvement.
What is an internal audit?
During an internal audit, the auditor collects and documents facts in collaboration with the auditee. An internal audit measures actual practices (and the resultant outcomes, such as records) against your ISMS, aligned with the ISO 27001 standard. It ensures you are following best practices and processes to protect sensitive data. A competent auditor must carry out an internal audit from within or (optionally from outside, e.g., a consultant) working closely with the organisation.
Why do we conduct internal audits?
Clause 9.2 of ISO 27001 (and many other modern ISO standards) requires that internal audits are carried out at “planned intervals”. So firstly, we must do regular internal audits. Incidentally, the other requirements of clause 9.2 are quite simple – we must document our audit outcomes and ensure the audit programme is planned but dynamic. This last point ensures that you consider this and respond accordingly as your organisation and the external business environment changes.
Apart from ISO requirements, you should be driven to audit for several core organisational drivers:
- To spot inefficiencies in processes
- To spot failings in satisfying the requirements of the standard
- To identify good practices that can be replicated
- To look for potential improvements
- To spot compliance
Types of ISO 27001 internal audits
While achieving and maintaining ISO 27001 certification, there are many times where you may require an internal audit. There are multiple ways to execute your internal audit strategy. There are times within your certification journey where an internal audit may increase your confidence when undergoing an external audit. During the build-up to first-time certification, there are two great opportunities for an internal audit. These can be referred to as a pre-stage 1 audit (readiness review) and a pre-stage 2 audit.
Pre-stage 1 audit explained
A pre-stage 1 is an audit that optionally, but very commonly, can occur for ISO 27001 and centres around whether the current policies and procedures fit the requirements set out within the standard. A pre-stage 1 audit can also be referred to as a readiness review and generally looks only at the documented components (policies, procedures, etc.) of your ISMS created by your organisation and check whether they satisfy the standard. This audit will help ensure your organisation is more prepared for an external stage 1 document review from a certifying body.
The result of a pre-stage 1 audit would be a document that includes a list of controls and clauses and whether the organisation is compliant with each standard area. It will also have opportunities for improvements (OFIs), highlighting the policies addressing the clause or annex that may need to be revisited. Lastly, non-conformities may be listed when the auditor feels that the ISMS does not align with the ISO 27001 standard.
Pre-stage 2 audit explained
The pre-stage 2 audit usually covers an ISO 27001 control or clause of your choosing. This audit proves the effectiveness of your audit procedures and policies in practice. This builds upon the pre-stage 1 audit, ensuring your organisation implements and practices the defined processes. These areas are tested and investigated by the auditor to represent your organisation’s current level of information security compliance. Findings are recorded and stored within your ISMS.
Linking to clause 10 of ISO 27001, which addresses improvements and corrective actions, after completing a pre-stage 2 internal audit, an organisation documents their non-conformities and areas for improvement within their ISMS. A review date is set for each finding once a need for action has been established.
The ISO 27001 standard requires an audit programme. An audit programme typically defines a three-year plan between re-certification external audits. A robust ISMS framework like ISMS.online gives a project area setting out audit time frames, detailing what needs to be addressed and other pertinent details of the planned audit.
Within these three years, it is prevalent that all standard areas should be addressed at least once. Audit programmes can and must be flexible to meet your organisation’s needs and do not have to fit a set model.
Each audit is planned, and the audit plan typically contains details such as:
- When the audit is required to be done (do not disturb normal business operations)
- Which areas of the standard are to be covered
- Who will do the audit?
- The objective – why the audit is being done? This could be a planned audit or a re-audit of a previously identified non-conformance area.
- The scope of the audit – which parts of the business are intended to be covered in the time available?
There are subtly different audit methods:
- Audits can be carried out clause by clause and control by control. A great example of where this approach would be helpful is for more general annex A controls, which mitigates a risk related to everyone. This would involve picking parts of the standard and auditing across a pre-defined part or all of your organisation. An example of this would be A.11 Physical Security for each of your offices or locations.
- Another audit method includes conducting departmental audits. This method would look at carrying out audits based on departmental structures and working areas. A departmental audit may be appropriate if departments operate in different regions. An example may be an audit of your human resources (HR) department and its ISMS components.
- Audits can also be done based on products/services. This would look at the tasks and operations taken to deliver a specific product. A pragmatic way this can be done is to start from the final product and work backwards to when actions were first initiated. Essentially this is an audit of a process.
Sometimes, you may feel you need to perform audits outside of your initial audit programme within your organisation. This could be for several reasons related to the effectiveness of your ISMS. Planned audits are a way of showing that your organisation is proactive and seeks continual improvement. However, it may be just as important to be reactive to the circumstances of your organisation – this is your choice as it is not a requirement of ISO 27001.
Another reason an organisation may need to carry out an unplanned audit would be to respond to a security incident or disaster event. If a security breach were to happen through a phishing email, an organisation might see it fit to audit annex A control A.7.2.2, which looks at staff awareness and training. This would be to ensure that this sort of compromise in security does not reoccur.
An example of why you may want to carry out additional audits is due to the findings of your planned audits. For example, suppose you were to find non-conformities within a certain audit area, it may be best to audit that specific control or clause at more regular intervals until the issue occurs less or the risk becomes more tolerable. This would be dependent on your risk appetite, the potential damage, and the frequency of non-conformities. It may also be helpful and appropriate to do an internal audit of any corrective actions to ensure success.
When conducting an audit, it is crucial to document your discoveries and ensure continual improvement. Positive findings are also noted to help build ideas and ensure good practices are being maintained. Non-conformities are recorded to ensure corrective actions are taken and issues are assigned to a responsible owner. A commonly structured way in which audit outcomes are documented are as follows:
- Conformity – The arrangements are judged to adequately satisfy the requirements of the applicable clause(s) or control(s)
- Opportunities for improvement – Noted areas where the ISMS could potentially be im-proved, at the organisation’s discretion. The organisation should carefully consider the finding, documenting the changes to the ISMS as appropriate.
- Non-conformity – An issue that contravenes a requirement of ISO 27001. This will require full and proper resolution promptly before the next external audit.
- Major Non-conformance – Failure to conform with the standard at a systemic level will like-ly require attention from senior management and restructuring of information security practice.
Note that the above approach is not a requirement of ISO 27001 so you could use entirely different approaches if they work for your organisation.
How ISMS.online helps with internal audits
With ISMS.online, our software service allows your information security management system to be an all-in-one accessible location. This includes a flexible audit programme area that can document audit reports in between certification periods. Secondly, ISMS.online helps support organisations to manage their audit findings and address them accordingly. Also, within our software service, it provides an area to meet clause 10 (Improvement) by providing a corrective actions and improvements track. This allows your organisation to be more proactive when addressing non-conformities and improvements. It does this by seeing its status, assigning a responsible owner and dates for completion and review. All these features allow an organisation to feel better organised for an external audit, as all work areas and reports are easily accessible to show, allowing for the process to run more smoothly.
ISMS.online also offer Internal audit services conducted by information security specialists. This ensures that organisations have a competent auditor to carry out their internal audits in line with annex A.18.2.1, which mentions that processes and procedures shall be reviewed independently. This will allow for your audit findings to be objective, accurate and valuable to your organisation.
To provide additional support, ISMS.online also features a virtual coach add-on, which includes videos, guides, and checklists that provide information on addressing the ISO 27001 standard. There is a section related to 9.2 (Internal Audits) and other relevant areas. This gives direction to your organization and helps save time which can be used to focus on more general operations. Using Virtual Coach will help your organization become pragmatic and increase your information security confidence.