Preparing for an ISO 27001 internal audit is a daunting task, especially if you’ve never performed one before.Don’t worry, though! Getting an ISO 27001 is a great thing to do for your business. It shows you care about your security and, most importantly, your client’s security. Nevertheless, the latter will bring you more repeat business and help you grow your client base.
In this article, I’ll discuss what ISO 27001 is as well as why it’s important. Then, we’ll get into what’s involved with an internal audit. Finally, I’ll share a handy checklist to help you along the way. Let’s take a look and see what ISO 27001 is all about.
ISO 27001 and Its Importance
ISO 27001 is an international standard set forth by the International Organization of Standardization. 167 countries around the world recognize the ISO standard.
Particularly, ISO 27001 standardizes the protection of information assets. This includes paper files, documents, binders, filing cabinets, emails, and more. The goal of ISO 27001 is to protect this data. It ensures all the policies regarding it are indeed up to date. It also checks if the company is following the guidelines set forth by the ISO.
The ISO standard measures your company against many standard criteria. Specifically, the standard consists of 114 controls within 14 groups and 35 control categories. Let’s take a look at these.
ISO 27001 Control Groups
To clarify, ISO 27001 will hold your company accountable according to these 14 groups:
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security
- A.8: Asset management
- A.9: Access control
- A.10: Cryptography
- A.11: Physical and environmental security
- A.12: Operations security
- A.13: Communications security
- A.14: System acquisition, development, and maintenance
- A.15: Supplier relationships
- A.16: Information security incident management
- A.17: Information security aspects of business continuity management
- A.18: Compliance with internal and external requirements, such as laws
Now, how do you conduct an internal audit on your company? Where do you begin? What documentation should you follow? Well, I have some mandatory reading for you to help answer these questions.
Mandatory ISO 27001 Requirements
The first thing to remember is that not all organizations are alike. Therefore, not all controls apply to them. However, before you can even begin the audit, you’ll need to write and scope out your Information Security Management System (ISMS). The ISMS is basically your guidebook on your organization’s security policy.
Furthermore, ISO 27001 clause 6.12 states that you must conduct a risk assessment and define a risk treatment methodology. In other words, if you find some risk, what’s your process to remediate that risk?
Besides that, you’ll also have to write your documentation on some required clauses:
You can also find more information on each clause here.
Because of these clauses, the first phase of the certification can take up to 6 months to complete. If you don’t already have these processes documented, then assemble a team and get writing. Documentation aside, let’s now take a look at the steps involved in the internal audit itself.
What Is Involved in an ISO 27001 Internal Audit?
All in all, the audit consists of 5 parts.
1. Documentation Review
To begin with, this is a review of your organization’s policies, procedures, standards, and guidance documentation to ensure that it’s fit for purpose, reviewed, and maintained. These documents are the ones I spoke about in the preceding section. The auditor will then review that you have the documentation and that it meets the criteria.
2. Evidential Audit
This is an audit activity that actively samples evidence. It demonstrates that workers are complying with policies, following procedures and standards, and considering guidance. You can collect this evidence by talking to employees about processes and procedures, as well as taking samples from work items.
Following the documentation review and evidential sampling, the auditor will then assess and analyze the findings. Consequently, they’ll confirm if the standard requirements are being met.
4. Audit Report
After the analysis is complete, you’ll then prepare an audit report and provide it to management to ensure visibility. This is a required step no matter the outcome of the audit.
5. Management Review
Lastly, management must review the report and consider the findings of the audits. Then, you should ensure the implementation of corrective actions and improvements as necessary.
To ensure you’re ready for the audit, I’ve put together a checklist for your convenience in the next section.
ISO 27001 Audit Checklist
This checklist will come in handy and help you prepare for your audit. The last thing you want is to enter into the audit phase unprepared, which obviously lengthens the process further.
1. Documentation Review
- Review all the documentation you used when you began creating your ISMS
- Ensure the audit’s scope matches your organization (this will help you set well-defined boundaries in the audit process)
- Identify all the important people in your ISMS and go back to them for info requests the auditor asks for
2. Management Review
- Start meeting with management early and establish rules, communication, expectations, and a timeline
- Set regular check-in meetings to ensure both sides complete tasks timely
3. Field Review
- Speak to the IT department to gauge how the ISMS is working in real life (that’ll help you determine if it’s being disregarded)
- Conduct audit tests and gather evidence to establish what’s working and what isn’t
- Document findings from each test in a report
- Review your ISMS and other related information to compare your findings
- Sort and review evidence and findings concerning your risk treatment plan
- Analyze the gaps in your process or conduct more tests
- Create a report to present to the management team
- Write an introduction to clarify the scope, objectives, timeline, and extent of the audit
- Create an executive summary to cover the key findings, high-level analysis, and a general summary of the audit
- List the intended recipients of the findings, conclusions, and recommended corrections
- Conclude with a statement detailing recommendations and scope limitations
In brief, this comprehensive checklist will help you outline your tasks for your internal audit. This will hopefully help you prepare as much as possible.
After reading this article, you should surely be ready to prepare for an internal audit for your ISO 27001 certification. I showed you all the parameters the ISO checks for, but you should still know which ones apply to your organization. I also detailed the whole process of the audit and gave you a checklist to refer to in every step.
You have done the right thing by starting down the path to an ISO 27001 certification. Good luck on your quest!
If you have any questions about the topic, check out the FAQ and Resources sections below.
What are the benefits of getting an ISO 27001 certificate?
The ISO 27001 certificate proves to your customers and business community at large that your organization is serious about data security. ISO 27001 is an international standard recognized in 167 countries. No matter where you do business in the world, your certification will be recognized. As a result, this reflects your seriousness about security.
Who conducts the actual ISO 27001 audit?
You conduct an internal audit yourself. Conversely, an auditor from the ISO will conduct your certification audit. Generally, internal audits can help maintain your certification or help you prepare for an initial certification audit to avoid any surprises.
How often should I do an internal audit?
No guidelines state any time limits for internal audits, but it’s generally a good idea to do it annually. However, annual audits consume a lot of resources, so they might not be ideal. As a result, many prefer to conduct them every two to three years.
What is an ISMS?
ISMS stands for Information Security Management System. It’s a guidebook to your organization’s security systems, protocols, and people that work directly with them. In essence, your ISMS helps you protect and manage your organization’s information and data through effective risk management mitigation. It also enables compliance with many laws, including the GDPR (General Data Protection Regulation). Finally, it focuses on protecting three key aspects of information: confidentiality, integrity, and availability. In short, it’s the keystone of an ISO 27001 audit.
How long does an internal audit take to perform?
It really depends on the size of your organization, how many people work there, and what the current state of the existing documentation is. On average, it could take anywhere from 2-4 months to complete an audit.
TechGenix: The Journey to ISO 27001 (Part 1)
Learn how to get started on your path towards certification.
TechGenix: The Journey to ISO 27001 (Part 2)
Continue on your path towards certification.
TechGenix: Article on ISO 27001 and Getting Certified
Learn what ISO 27001 is and how to get certified.
TechGenix: Guide on Getting an ISO 27001 Certification
Here’s a step-by-step guide on how to get started on your path towards certification.
TechGenix: Article on Noteworthy ISO Standards
Learn more about some notable ISO standards.