ISO 27001 Internal Auditing FAQ

The responsibility to conduct an audit will typically be delegated by a member of the organisational leadership team. This individual will have a greater oversight of the organisational ‘landscape’ and should provide the Scope and Criteria for the audit. Armed with this, the auditor can then begin to plan the structure of the audit. Typical considerations would be as follows:

How long have I been allocated to conduct the audit?
Who would be the best representative to speak to regarding the audit I have been asked to conduct?
How can I plan my audit with the department to maximise the available time?
From the Criteria (the ‘what should be’), how can I extract questions that will enable me to investigate to the extent necessary to confirm that this requirement is being met?
What evidence should I expected to be see, or be presented in support of this investigation (the ‘what is’)?Once you have decided upon a plan for your audit, it is good practice to forward this to the auditee, to enable them to arrange for the relevant people to be available.

Once these (and any other questions) have been answered, the auditor should arrange an opening meeting with the auditee(s). For an internal audit this is likely to be a relatively informal affair, consisting of introductions and confirmation of, or changes to, the audit arrangements.

At the conclusion of this meeting, the audit can begin. Individual staff should be interviewed, processes observed and documentation that has been produced in support of business activities should be reviewed. Auditors should follow an approach of ‘ask, check, verify and record’:

Ask - ask open questions to begin conversations about the process or system. Listen to the answers provided, as these may lead to further ‘probing’ questions to illicit more detail. If a potential trail appears, providing it does not lead the auditor outside the Scope of the audit, further investigations may be required.
Check - use additional questions to verify the facts of the auditees comments.
Verify - look for supporting evidence of what the auditee has said.
Record - make a note of the evidence of what you have been told, either positive or negative findings, ensure you record as much detail as necessary in the event of a finding, so that your report will lead the auditee precisely to where the problem has been identified.

For more detailed insight and advice on preparing for and conducting internal audits, refer to URM’s webinar recordings.

‍

Never miss a thing

Stay in the loop

Please provide your contact details and we will email you with any future changes to ISO 27001 (and the implications!).

URM holds free seminars and webinars for end-user organisations focusing on information security.

Find out more

related BLog

Governance, Risk Management and Compliance

Information Security

ISO 27001

Top Tips For Implementing an Effective ISO 27001 Information Security Management System (ISMS)

Latest update:

26 May

2023

URM provides some top tips for achieving an effective and successful information security management system implementation

Information Security

updateD:

11/4/2023

10 Top Tips for Keeping Information Secure When Homeworking

In this blog, we aim to provide 10 top tips to enable you to keep important information assets safe and secure whilst working remotely.

Information Security

updateD:

2/3/2023

ISO/IEC 27001:2022 Key Changes

Following the publication of ISO/IEC 27001:2022 on 25 October 2022, this blog will provide you with our high-level analysis of the key changes.

Information Security

updateD:

21/2/2023

How Secure is Zoom?

Many organisations have had to adapt very quickly to the rapidly changing restrictions brought in across the globe to help combat the spread of COVID-19.

Without doubt, URM helped us to achieve our planned objectives a lot sooner than expected. The engagement was a huge success and couldn’t have gone any better.

Tony Smollett

Group IT Director, UK Mail

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.

ISO 27001 Internal AuditFrequently Asked Questions

Stay in the loop

Top Tips For Implementing an Effective ISO 27001 Information Security Management System (ISMS)

Let us help you

ISO 27001 Internal Audit
Frequently Asked Questions