IL7 Security – Guide to the ISO 27001 Internal Audit
The International Standards Organisation has its own standard for conducting audits. These are laid down in ISO 19011. Below IL7 draws from this and what has been learnt from experience and gleaned from industry experts as to how to conduct an Internal Audit against ISO 27001.
The main purpose of the internal audit is to improve the ISMS. The external audit is to get the certificate and for this you need to supply the annual Audit Programme and the Internal Audit report (amongst the other mandatory documents). Other optional but recommended documents are the Audit Procedure, defining when, how and what is being audited and the Audit Plan which covers the details, The Audit Programme is a schedule outlining the frequency of audit and defines the objectives, reasons and criteria, who is responsible for conducting the audit and who should follow up the audit findings. The Audit Report detailing those findings, positive and negative observations as well as major and minor non-conformities is to be reviewed by management.
It is important that the internal audit is by somebody who knows the business and has the right consultancy qualities, is technically knowledgeable and confident in purpose. It is important to avoid a conflict of interest and the internal auditor should be apart from the group responsible for the ISMS.
The Audit Plan can outline whether the audit is to be conducted clause by clause (start with 4) of the standard or by review of all relevant processes. It could also be through review of all mandatory documents and the supporting policies, procedures of the ISMS and Statement of Applicability. It is recommended here that the document review is the preferred route with the auditor applying knowledge of the standard and acknowledging the relevant processes as integral to the review. It is important to clarify audit criteria including the clauses in the standard but make explicit reference to 3rd party requirements (ICO regulator, Legislation and contracts, including supplier management agreements and policy). This should be discussed with senior stakeholders, management and information asset managers prior to completing the plan. With consensus, the Audit Plan can address the timescales, roles and responsibilities realistically with manageable targets. It is important that the audit follows the next seven stages in sequence.