Planning Your ISO 27001 Audit Programme

An ISO 27001 requirement

Clause 9.2 of ISO 27001 requires certified/conforming organisations to conduct internal audits, specifying that:

• The audits need to be planned at suitable intervals, defined, and documented
• The audit programme needs to be appropriate to your organisation
• Audit results need to be documented, and any information retained.

As well as being a requirement under Clause 9, the outputs from the audit will inform the corrective actions and continual improvements you implement under Clause 10.  As such, audits are a vital activity for meeting the requirements of multiple ISO 27001 clauses and are absolutely key to improving your ISMS.

Types of audits

There are three types of audits which are known as first, second and third-party audits.  First party audits are otherwise known as internal audits and can be conducted by the organisation themselves or they can be outsourced to a third party.

‍

‍

‍

Third-party audits are a type of external audit (i.e., not conducted by the organisation) and are usually carried out by a completely independent third party, for example a certification body (CB) conducting an assessment of an organisation’s ISMS to determine whether it meets the requirements of the ISO 27001 Standard.  If it does, the CB will then recommend the organisation for ISO 27001 certification or recertification. External audits can also be conducted by interested parties (such as partners or customers) seeking assurance of the ISMS’ conformance to ISO 27001 and of the organisation’s good practices.  These are known as second-party audits, and whilst they will not result in certification as only a certification body can provide this, they may help fulfil business requirements and criteria set by the interested party.  For more information about interested parties and ISO 27001, read our blog on How to Meet the ISO 27001 Requirements around Interested Parties.

Audit programme benefits

As mentioned above, internal audits are a requirement of ISO 27001 and must be conducted in order to achieve and maintain certification. However, aside from their status as a certification requirement, audits can provide a range of benefits to your organisation.  Audits will measure and assist with the improvement of the conformance of your ISMS to the Standard and will increase the level of awareness around information security and the ISMS among management and your staff. They can highlight both adherence to best practice and risks that exist within organisational processes, and will enable you to identify any areas where processes are not currently being followed.  Audits can also provide information for management reviews, the basis for root cause analysis of any issues captured, and can provide input into your risk management process by determining the effectiveness of controls. Audits can ultimately help you improve customer satisfaction and avoid reputational damage by reducing the likelihood of errors, which may lead to breaches or complaints.

Key factors in audit preparation

There are several key factors you will need to consider as you start to prepare for an audit, including:

• Size and complexity of the organisation – This may include the number of physical locations, people, interdependencies of the business, data, products, and services.
• Key functions and processes – Systems, planning and development, marketing and sales, demand and supply, along with customer and supplier management.
• Scope – This defines the boundaries of your organisation and will include any interdependency on external factors such as suppliers, processes, and any legal requirements.
• Availability of auditees and auditors – The staff members (auditees) both at the senior and managerial level to be interviewed and the audit team member (auditor) available on the day of the audit.
• Degree of assurance required – This provides a level of confidence to your organisation on the validity, accuracy, and completeness of the audit programme.
• Auditor competence – The auditor must be knowledgeable of audit principles, practices, and techniques, along with the subject matter.
• Auditor independence or impartiality – The auditor’s opinions and assessments must be impartial and free from conflicts of interest.
• Incidents – Incidents that have been captured, reported and those that have been addressed.
• Previous audit findings – Having access to a previous audit report provides not only clarity, direction and understanding, but will also allow the auditor to add any outstanding findings to the current report

.

‍

Audit methodology

It is important for your organisation to document its audit methodology and establish key criteria against which all audits will be performed. This will ensure that audit outcomes will be comparable.  Some key elements that need to be included in your audit methodology are as follows:

• Interviews (what we are told happens) – The auditor will interview those individuals responsible for elements of the management system, as well as those who are responsible for implementing and managing controls.
• Documentation (what is supposed to happen) – These documents are usually policies, processes and procedures that document what is supposed to happen.  This can be compared with what we are told in the interviews to determine if processes are working as expected.
• Records (what happened – linked to the degree of assurance required) – Records provide evidence that policies, processes and procedures have actually occurred in the way that they are required to take place.  Generally, we would expect the records to align with what we are told in interviews.  Records can be a range of different things including paper documents, electronic documents, CCTV footage, systems logs, etc.
• Sampling – Sampling is used to reduce the need to look at every iteration of something.  For example, if you are performing an audit against the starters and leavers process, all new starters and leavers should have followed the same process.  In an organisation that has a high staff turnover, the auditor could select just a representative sample of starters and leavers rather than looking at all the records. Characteristics of the sampling approach should include:
  - The sample is randomly selected to avoid accusations of bias.
  - The sample should be representative of risk priority - the higher the risk, the greater the sample number and vice versa.
  - The auditor should determine samples, again to avoid bias.
  - If results are ambiguous, the audit size should be increased.
  - If there is a high degree of consistency and repetition, consideration can be given to reducing the sample size.
  - Linked to the degree of assurance required.  The greater the assurance is required by management, the larger the sample size should be.

Determining scope and criteria

One of the earliest steps necessary in establishing your audit programme is determining the scope of audits.  This will help determine how much time, travel, resources, etc. will be required to complete the audit.  Your scope will also help you define what the audit needs to evaluate (systems, processes, procedures, policies, and controls), also known as the scope inclusions, as well as the scope exclusions, i.e., which elements can be excluded or performed in future audits.  Your scope should also include your justification, i.e., the reason and need for the audit (certification or re-certification, surveillance audit, planned or unplanned).

Meanwhile, the criteria define the factors against which the scope inclusions are evaluated and, in the context of an ISO 27001 audit, this will generally be the Standard itself and your organisation’s documented policies, processes and procedures.  Put simply, audit criteria are those things within the Standard, as well as policies, processes and procedures, that your organisation will be expected to meet.  Meanwhile, the audit procedure itself is conducted with the aim of determining whether the criteria have been met or not.  

ISO 27001 states:

‘The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system (ISMS):

1. conforms to
   A) the organisation’s requirements for its ISMS
   B) the requirements of this International Standard, and
2. is effectively implemented and maintained’

Therefore, the audit criteria are:

• Mandatory clauses from ISO 27001
• Applicable controls from Annex A of ISO 27001
• Other controls as noted in the Statement of Applicability
• Organisational policies, processes, procedures, and standards.

The auditor will determine the audit scope and criteria at the beginning of the process and makes these the basis for performance evaluation and report writing.

Logistics considerations

Once the scope and criteria are set, there are further, logistical aspects that you will need to consider in order to ensure the audit programme runs smoothly.  You will need to consider, for example, your physical location.  If an in-person audit is required, are there auditors available in the area and are the available auditors competent?  Will you require interpreters, translators, technical specialists, or guides?  Is the timing of your audit convenient, or will it overlap with a holiday season or a busy period?  These, and other important logistical questions, can be make or break a successful and seamless audit.

Prioritising audits

ISO 27001 audits should be performed at regular intervals and are typically structured around a 3-year schedule, as per the lifecycle of your ISO 27001 certification.  The priority, frequency, and intervals between audits can vary based on a number of factors relating to the context of your organisation.  As a rule of thumb, if you have identified a high level of risk in your risk assessment, an incident has occurred previously, or if nonconformities have been identified in your previous audit, it is advisable for you to conduct more frequent audits and to audit sooner rather than later.  The criticality of processes, and your management, legal and regulatory, and contractual requirements will also come into play when you prioritise and plan your audit schedule.  However, it is important to ensure that all elements/controls are audited within the 3-year certification cycle.  

The audit programme must be structured considering the following:

• The audit programme should be dynamic and flexible
• Adjust the audit programme as required, based on rules of thumb defined above.

The audit process is quite flexible and dynamic, and can be adjusted as required.  For example, if there are poor audit results in certain areas of your organisation, these areas might be more frequently audited than those that have performed well in previous audits.

Managing audits

Once the audit programme has been established, you will need to ensure it is properly managed and maintained.  Best practice dictates that the audit programme should be approved by an appropriate authority, assigned to one or more individuals and, if there is more than one auditor, have a lead auditor appointed.  The audit should also follow established procedures and be monitored and reviewed at appropriate intervals.  When reviewing the audit programme, you will need to consider whether it is meeting its objectives; in essence, you should be ‘auditing the audit process’ and looking to identify any opportunities for its improvement.

Meanwhile, you will need to retain records of the audit programme and audit programme review, details of the audit team, records which validate their competency and, of course, of the audit reports that are produced, including any nonconformities, corrective action tracking and follow-up audit reports.