With this week’s blog, the spotlight turns to internal audit and specifically in the context of
ISO 27001, the International Standard for Information Security Management. We will step
right back and look at internal auditing from the perspective of those new to the subject or
those trying to understand where and why it fits.
The purpose of an internal audit process is to ensure that the organisation has taken every
appropriate precaution to verify the effectiveness of its information security management
system (ISMS) against the requirements of ISO 27001 and the organisation’s own requirements
for the ISMS. To achieve this, according to the Standard, internal audits must be conducted
by objective and impartial auditor(s) (ISO/IEC 27001, 2013).
ISO 27001 requirement
The internal audit requirements are stipulated in Clause 9.2 of ISO/IEC 27001. In order to address this, as an integral
part of management system processes in general, it is recommended that you approach this as a business process, not
a stand-alone process you have to do because the Standard says so. Implementation of an audit process is not a one-off
activity to achieve certification, but a recurring process that will be triggered at regular intervals or when there is a
significant change in the organisation. A simple representation of an internal audit process can be found at the end of
Once the audit process has been established, we need to identify our auditors. As stated above, auditors must be selected
who will ensure the objectivity and impartiality of the internal audit process. For the purpose of meeting the requirements
of ISO 27001, identifying competent, impartial and objective auditor(s) includes setting the requirements that would sustain
any reproach from third parties.
Selected auditor(s) can be internal personnel who are already auditors or those who you train to be auditors. You can seek
external support if you prefer. The choice is entirely yours as long as these individuals are not assessing anything that they
have been involved in developing or implementing. It is common practice to outsource this activity to ensure the three pillars
of internal auditing are preserved: competency, objectivity and impartiality.
As part of the audit process, a schedule or programme must be established, planned, implemented and maintained. A key
practical consideration here may be to avoid any audits taking place during challenging business periods. This is particularly
relevant to those organisations who are subject to regular regulatory and client audits and want to avoid ‘audit fatigue’.
Likewise, due care should be taken not to extensively audit certain business areas if it can be avoided, in order to avoid any
criticism that departments/functions are either being picked upon or being neglected. Naturally, however, those business
areas identified as being critical by the risk assessment will feature prominently in any audit programme.
During the actual audit, all pertinent employees need to be available for interview and to provide evidence, where required,
to support the audit. It’s important employees don’t feel as if they being subjected to an interrogation and that they understand
the audit is all part of a process to continually improve the ISMS. It is also important that the audit is documented, typically
in the form of a report, recording who was spoken to, what was said and importantly, what evidence was found along with a
summary of the findings. It should also contain:
Nonconformities identified if any
Opportunities for improvement.
Identification of nonconformities can stem from the organisation’s lack of compliance with the requirements of the standard,
or its own ISMS requirements as defined in policies/processes and identified legal and regulatory requirements.
From an ISO 27001 perspective, following the internal audit, the findings need to be tracked and managed with remediation
activities identified. Often this is through the corrective action or continual improvement process. The findings, and possibly
the report, will be key inputs to the management review providing an indication of the health of the organisation’s ISMS and
overall information security position.
As one of the most important management system processes, internal audit will provide benefits internally and externally
by providing evidence that:
An organisation has implemented and actively maintains its ISMS
‘Top management’ is actively involved in ensuring that the ISMS is fit for purpose,
An organisation is continually working on improving its ISMS
ISMS processes and security controls are reviewed and audited at regular intervals.
Internal audit process