How can your organisation meet the internal auditing requirement of ISO 27001?

The ISO 27001 Standard requires that internal audits are conducted at planned intervals.  On the face of it, this gives organisations a degree of flexibility in the frequency that they carry out internal audits.  The Standard, however, does provide some clarity when it states that the frequency of the internal audits should be influenced by the importance of organisational processes.  This risk-based approach effectively means that the areas where you may suffer the consequences of an oversight ‘first and worst’ should be audited more frequently than the more routine areas.  The Standard also requires that the frequency of internal audits should be aligned with the results of previous audits.  If an area or department, for example, is continually giving cause for concern, it would be sensible to audit it a little more often.  Conversely, if a department is consistently demonstrating high levels of performance, there are grounds for reducing the frequency of audits.  Internal audits should also be conducted by auditors who are objective and impartial to the process or activity being reviewed.  The objectivity element requires that findings are based on tangible evidence, not ‘gut feeling’.  Any concerns raised during an audit should be backed up by such evidence.  The impartiality requirement means that you should not be involved in an audit of your own department or documentation.  This aspect can bring about considerable value from a ‘second set of eyes’ review of how your department conducts its business.