What are the Basics of Internal Auditing?

Latest update:
11 Aug
2022

With this blog, the spotlight turns to internal audit and specifically in the context of ISO 27001, the International Standard for Information Security Management.  We will step right back and look at internal auditing from the perspective of those new to the subject or those trying to understand where and why it fits.

The purpose of an internal audit process is to ensure that the organisation has taken every appropriate precaution to verify the effectiveness of its information security management system (ISMS) against the requirements of ISO 27001 and the organisation’s own requirements for the ISMS.  To achieve this, according to the Standard, internal audits must be conducted by objective and impartial auditor(s).

ISO 27001 Requirement

The internal audit requirements are stipulated in Clause 9.2 of ISO/IEC 27001.  In order to address this as an integral part of management system processes in general, it is recommended that you approach this as a business process, not a stand-alone process you have to do because the Standard says so.  Implementation of an audit process is not a one-off activity to achieve certification, but a recurring process that will be triggered at regular intervals or when there is a significant change in the organisation.  

Once the audit process has been established, we need to identify the auditors.  As stated above, auditors must be selected who will ensure the objectivity and impartiality of the internal audit process.  For the purpose of meeting the requirements of ISO 27001, identifying competent, impartial and objective auditor(s) includes setting the requirements that would sustain any reproach from third parties.

Selected auditor(s) can be internal personnel who are already auditors or those who you train to be auditors.  You can seek external support if you prefer.  The choice is entirely yours, as long as these individuals are not assessing anything that they have been involved in developing or implementing.  It is common practice to outsource this activity to ensure the three pillars of internal auditing are preserved: competency, objectivity and impartiality.

Audit process

As part of the audit process, a schedule or programme must be established, planned, implemented and maintained.  A key practical consideration here may be to avoid any audits taking place during challenging business periods.  This is particularly relevant to those organisations who are subject to regular regulatory and client audits, and want to avoid ‘audit fatigue’.

Likewise, due care should be taken not to extensively audit certain business areas if it can be avoided, in order to avoid any criticism that departments/functions are either being picked upon or being neglected.  Naturally, however, those business areas identified as being critical by the risk assessment will feature prominently in any audit programme.

During the actual audit, all pertinent employees need to be available for interview and to provide evidence, where required, to support the audit.  It is important that employees don’t feel as if they are being subjected to an interrogation and that they understand the audit is all part of a process to continually improve the ISMS.  It is also important that the audit is documented, typically in the form of a report, recording who was spoken to, what was said and importantly, what evidence was found along with a summary of the findings.  It should also contain:

  • Nonconformities identified if any
  • Opportunities for improvement.

Identification of nonconformities can stem from the organisation’s lack of compliance with the requirements of the Standard, or its own ISMS requirements as defined in policies/processes and identified legal and regulatory requirements.

From an ISO 27001 perspective, following the internal audit, the findings need to be tracked and managed with remediation activities identified.  Often this is through the corrective action or continual improvement process.  The findings, and possibly the report, will be key inputs to the management review, providing an indication of the health of the organisation’s ISMS and overall information security position.

Conclusion

As one of the most important management system processes, internal audit will provide benefits internally and externally by providing evidence that:

  • An organisation has implemented and actively maintains its ISMS
  • Top management’ is actively involved in ensuring that the ISMS is fit for purpose
  • An organisation is continually working on improving its ISMS
  • ISMS processes and security controls are reviewed and audited at regular intervals.

Thumbnail of the Blog Illustration
Information Security
updateD:
11/8/2022
How to Improve Your Password Management

One of the long-held beliefs underpinning many a password policy is that forcing a regular password change is a good thing.

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
23/1/2023
Everything You Need to Know About ISO 27001 Certification

ISO 27001 is the International Standard for Information Security Management. As with all ISO standards, it has been developed by a panel of experts from across the globe and provides a specification

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
20/7/2022
How do You Develop and Implement an Incident Management Plan?

Due to the increased use of information technologies and the ‘human’ involvement (both malicious, accidental and incompetent!), it is inevitable we are all going to face more and more information...

Read more
"
Without doubt, URM helped us to achieve our planned objectives a lot sooner than expected. The engagement was a huge success and couldn’t have gone any better.
Group IT Director, UK Mail
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.