In order for your information security management system (ISMS) to be viable, you must periodically receive an internal, independent audit that shows how it is meeting the requirements of the IEC ISO 27001 standard. Since organizations, particularly small enterprises, often find these mandates challenging, it makes sense to take a deeper dive into the ISO 2700 audit. Learning about the internal audit procedure is important if you want to assess the security of your systems and validate it to your stakeholders.
Internal ISO 27001 Audit Defined
As the name implies, an internal ISO 27001 audit is conducted by your own staff as opposed to a third-party consultant. It is the mechanism used to ensure that your ISMS meets the criteria set by the ISO. Since the security landscape is changing constantly, it is important to conduct an audit regularly. That being said, ISO 27001 does not specify a set length of time between audits because each business has its own unique needs. In general, most experts recommend that you conduct an ISMS audit once a year, with the maximum time between audits spanning no more than three years.
Stages of An Internal ISMS Audit
Successful ISO 27001 audits can be complex, involving many moving parts. As a result, your management team should take time to prepare for the procedure. If possible, give yourself up to 12 months for this preliminary work so that you can ensure that you have the knowledge and critical personnel in place when the time comes.
The internal audit procedure consists of five steps that you need to follow:
- Determine the scope of the audit. This involves gathering and reviewing all of the documents you and your team wrote when your ISMS was created. Furthermore, you should identify all of the stakeholders who will be involved in the ongoing process.
- Make a plan. During this stage, your team should work to compile a checklist of tasks to be accomplished during the audit as well as the associated time frame and a complete list of the resources – human and otherwise – that your organization will devote to the task. For best results, it is also wise to set up regular “check-in” meetings with the company’s board of directors so that they can remain aware of the audit’s progress.
- Conduct a practical assessment. Internal company auditors will take stock of your entire organization in order to assess the effectiveness of staff, equipment, protocols and procedures. As evidence is gathered, relevant testing and surveillance should occur.
- Analyze the findings. After evidence and testing has been completed, the audit team should review all information to determine whether your organizational objectives are being met according to ISO 27001 criteria. If any gaps or lapses in your systems are noted, this is the time to take corrective action and undergo additional testing.
- Write and present a report to management and other company stakeholders. This document specifies all actions taken during the audit process and reveals the opinion of the auditing team as to whether your organization’s information and security systems are in compliance with the standard.
It should include an introduction that reviews the objectives, scope and extent of the audit; an executive summary chronicling major findings and providing a general analysis and conclusion; a description of who will be receiving the audit report; a more thorough analysis of findings, including recommendations if applicable; and a final statement highlighting any additional limitations or recommendations that should be taken into account.
How an ISO 27001 Audit Checklist Can Be an Invaluable Governance Tool
The more sophisticated your organization’s security system has become, the more involved your audit will be. However, if you compile a list of priorities, tasks and time frames that you can check off when they are completed, the job can become infinitely more organized and easy to complete in an effective and thorough manner.
The biggest advantage of a checklist is that it works in tandem with your documentation, helping to ensure that the criteria and categories you identified as important when creating your ISMS are actually being accomplished. In addition, the checklist that you maintain can help you to specify when and where your most important resources and staff will be allocated during the audit.
Furthermore, your checklist becomes particularly vital as your team goes through the practical audit process. As you talk to staff, read procedures and test equipment and security systems, it is vital that you use it to keep track of the information and knowledge you gather. Finally, your checklist is indispensable when writing your final report since you can refer to it when organizing all of the systems-related information you have gathered.
Items to Include in Your Checklist
Even if you have never gone through this process, your company does not need to enlist the services of an accredited outside auditor who possesses an esoteric knowledge base or extensive certification to get results. Even a neophyte can compile the necessary documentation and gather a qualified auditing team. While your checklist can have unique additions, it should contain at least the following:
- The standard and clause to be pursued in your audit;
- The scope of the audit. (An audit scope example includes who you will talk to, which equipment to assess, the questions to be asked, the facilities to be visited, etc.)
- Compliance (generally a “yes” or “no” answer, this column specifies whether your company’s ISMS is in compliance with the standards;
- Findings (including all you have learned during the audit such as reporting about systems and resources, the content of records, descriptions of the equipment and facilities you viewed, etc.)
Conducting an internal ISO 27001 audit can provide you with a comprehensive, accurate point of view as to how your business measures up against industry security requirement standards. With adequate preparation and a thorough checklist in hand, you and your team will find that this process is a helpful tool that is easily implemented.