Requirements for conducting internal audits are contained within Clause 9.2 of the Standard. This Clause states that your audits are aimed at providing assurance that your ISMS is meeting both your own organisational requirements for your ISMS and the requirements of the Standard itself. Naturally, the first aspect will vary greatly as organisations will adapt their business model to achieve conformity to the Standard. It should be noted that the Standard explicitly prohibits the exclusion of any element of Clauses 4-10 from your ISMS, although some flexibility is granted regarding the Annex A Controls. It is important to remember, however, that the Standard merely specifies requirements; how your organisation interprets and implements these requirements is down to you.
Each internal audit that is conducted must have a defined scope and criteria. The scope of the audit sets the boundaries for your auditors. For example, the scope may be limited to a department or function; naturally the wider the scope of the audit the more time and resources will be required. The criteria for your internal audit is effectively what are we assessing against. Examples of this could be ‘Clauses 4-6 of the Standard’ or ‘a selection of Controls from Annex A’. Another example of an audit criteria could be ‘your own organisational policies’, which have, hopefully, been developed in line with the requirements of the Standard.
These parameters are typically defined by someone who acts as the audit programme manager, someone who has a holistic view of the organisation is able to focus the internal auditors’ energy where it will be most effective.
Finally, the internal audit results and the internal audit schedule must be be documented to provide evidence that audits have been carried out effectively. There are a range of outputs that may be produced following of an audit, including a list of the auditees, the questions that were posed against the specified audit criteria, the findings and the supporting evidence, notes, and ultimately a report that captures the conclusion(s) of the audit. All of these should be retained by your organisation to inform future decisions. Adverse findings may be used to influence the focus and frequency of subsequent audits.
related BLog
No items found.
No items found.
"
We would like to pass on our gratitude to our consultant for all his hard work and advice during our 3-year re-certification and assessment against the new Standard. After seven days of auditing, we have two OFIs that the assessors have put forward from the audits. This pays testament to our URM consultant, his hard work, eye for detail and advice given, both during the audits and during all the works beforehand.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.