In this blog, the focus shifts towards internal audit, specifically in the context of ISO 27001 certification, the International Standard for Information Security Management. We will take a step back and examine internal auditing from the perspective of individuals who are new to the subject or seeking to understand its purpose and relevance. The primary objective of an internal audit process is to ensure that the organization has taken all necessary measures to assess the effectiveness of its information security management system (ISMS) against the requirements outlined in ISO 27001 certification, as well as the organization's own specific requirements for the ISMS. In accordance with the Standard, internal audits must be carried out by auditors who are objective and impartial in their assessments.
ISO 27001 Requirement
The requirements for internal audits are outlined in Clause 9.2 of ISO/IEC 27001. To integrate this effectively into management system processes, it is recommended to view internal auditing as a business process rather than a standalone task mandated by the Standard. Implementing an audit process should not be seen as a one-time activity solely aimed at achieving certification but as a recurring process triggered at regular intervals or in response to significant organizational changes.
Once the audit process is established, the next step is to identify suitable auditors. It is essential to select auditors who can ensure objectivity and impartiality throughout the internal audit process. Meeting the requirements of ISO 27001 involves identifying competent, impartial, and objective auditors who can withstand scrutiny from third parties.
The auditors can be internal staff members who are already trained auditors or individuals who receive training to become auditors. Alternatively, external support can be sought if preferred. The choice is entirely up to the organization, as long as the selected auditors are not assessing any areas in which they have been directly involved in developing or implementing. It is common practice to outsource this activity to ensure the three pillars of internal auditing—competency, objectivity, and impartiality—are upheld.
Audit process
As part of the audit process, it is essential to establish, plan, implement, and maintain a schedule or program. One practical consideration is to avoid conducting audits during challenging business periods. This is especially relevant for organizations subject to regular regulatory and client audits, aiming to prevent "audit fatigue."
Additionally, care should be taken to avoid excessive auditing of specific business areas whenever possible. This helps prevent any perception of unfair targeting or neglecting certain departments or functions. However, business areas identified as critical through risk assessment will naturally receive significant attention in the audit program.
During the actual audit, it is crucial for all relevant employees to be available for interviews and to provide evidence, as necessary, to support the audit process. It is important to ensure that employees do not feel like they are being interrogated but instead understand that the audit is part of a continuous improvement process for the ISMS. Documentation of the audit is typically done through a report, recording the individuals interviewed, the discussions held, and most importantly, the evidence discovered. The report should also include:
Any identified nonconformities, if applicable.
Opportunities for improvement.
Nonconformities may arise from the organization's failure to comply with the requirements of the Standard or its own ISMS requirements as defined in policies, processes, and relevant legal and regulatory obligations.
From an ISO 27001 perspective, after the internal audit, it is necessary to track and manage the findings by identifying remediation activities. This is often done through the corrective action or continual improvement process. The audit findings, and potentially the audit report itself, serve as crucial inputs to the management review, providing insights into the organization's ISMS health and overall information security position.
Conclusion
Internal audit, as one of the vital management system processes, offers both internal and external benefits by providing evidence that:
The organization has implemented and actively maintains its ISMS: Internal audit demonstrates that the organization has put the necessary effort into establishing and sustaining its Information Security Management System (ISMS). It verifies the implementation of security controls, policies, and procedures in accordance with ISO 27001 requirements.
Top management is actively involved in ensuring the fitness of the ISMS: Internal audit highlights the active engagement of top management in overseeing the ISMS. It shows that management is committed to information security and actively supports the continuous improvement of the system.
The organization is continually working on improving its ISMS: Internal audit, with the support of an ISO 27001 consultant, serves as a tool for identifying areas of improvement within the ISMS. By assessing the effectiveness and efficiency of processes and controls, it helps uncover potential weaknesses and areas for enhancement.
This contributes to the ongoing development and refinement of the ISMS. ISMS processes and security controls are regularly reviewed and audited: Internal audit, in collaboration with an ISO 27001 consultant, ensures that ISMS processes and security controls are subject to regular reviews and audits. This helps to ensure that they remain effective, up to date, and aligned with the changing threat landscape and business requirements.
Overall, internal audit, supported by an ISO 27001 consultant, provides valuable evidence that an organization is actively maintaining and improving its ISMS, with the involvement of top management and periodic reviews and audits of processes and controls. This evidence reinforces confidence internally and externally, demonstrating the organization's commitment to information security management.