Who can perform an internal audit for ISO 27001?

The value that an internal audit brings to your organisation will be influenced significantly by the choice of auditors that perform it.  Your internal audit team will have a significant insight into the context that your organisation operates in and how your organisaton works.  This experience can add a huge amount of value, but your audit team members will need additional skills.  They will require a good knowledge and understanding of the ISO 27001 Standard and what it is intended to achieve, and how your organisation meets its requirements in a business environment.  Auditors should also have received the appropriate audit training and have achieved the necessary qualifications.

It is essential that auditors are impartial to the processes / activities that they are reviewing, this brings the benefit of an independent perspective, and can often lead to greater streamlining of business activities and the implementation of new initiatives.

Auditors should also possess sector specific knowledge and skills.  If this is absent, consider providing some technical assistance - this could be from the department that is being audited, and will allow a degree of clarity or explanation on the more technical or complex aspects of your business.  The auditor will add little value if they are blinded by science by the complexities of cryptography for example, but with the requisite assistance and explanation, will be able to make a judgement on the suitability of ISMS related business activities.

A successful auditor requires judgement and the ability to evaluate the potential impact of any problems identified.  Not every issue will require immediate remedial action.  Issues should be evaluated against their potential likelihood or consequence of occurrence, alongside mitigation measures that are already in place.  

Staff members who possess these attributes may be mentored by more experienced personnel to ensure they maintain a value-add approach to auditing.