How To Conduct An Efficient ISO 27001 Internal Audit

How To Conduct An Efficient ISO 27001 Internal Audit

For an Information Security Management System (ISMS) one of the basic functions is a periodic internal audit of the ISMS conducted independently aligned with the requisites of the ISO IEC 27001:2013 (ISO 27001) standard. According to the section 9 of the management requirements for ISO 27001:2013 the objective of the internal audit is the assessment of performance. To be brief, the internal audit is one of the programs that show if your ISMS are credible and its performance according to the desired expectations. Most likely, the internal audit seems to be an overhead expense at initial stages. On the other hand, internal audits can facilitate in determining problems such as nonconformities that would remain unknown otherwise and for that reason damage your business.

Conducting an ISO 27001 Internal Audit

For conducting an ISO 27001 Internal Audit we have three options.

  1. First option is to get the services of a full-time internal auditor. However, it must be kept in mind that this option is appropriate for larger organizations only as they would have an adequate amount of work for a full-time person.
  2. The second option is to avail the services of part-time internal auditors. This situation can be observed in majority of the cases as many organizations use the services of their own employees in order to perform internal audits and they do so when necessary such as, a couple of times per year together with their routine jobs. It is important to consider one point which is of paramount value: if we want to avoid any sort of conflict of interest there must be two internal auditors as a minimum so that they could review the regular work of each other because auditors cannot check their own work.
  3. Now the third option for conducting an ISO 27001 internal audit is to hire the services of a person outside of the organization as an ISO 27001 internal auditor. Even though this person is not employed in the organization, still it will be considered as an internal audit for the reason that the audit is conducted by the organization itself, consistent with its own rules. Generally, this is performed by such a person who has special expertise in this field like an independent consultant. Often using an ISO 27001 consultant can be an advantage due to their experience and expertise, compared to an internal employee who is only conducting audits a few time a year.

In addition to that, depending on whether an organization has already implemented ISO 9001 or any other standard of ISO management, and the profile of internal auditor it has, there are different choices for conducting an efficient ISO 27001 internal audit. An organization can conduct one audit or a series of audits over the year. For a small company, it will be quite enough to conduct a single audit during the period of one-year. However, for a large organization, it might consider to plan an audit being conducted in one department in January, in a different department in February, and so on.

An important consideration is to use the similar rules and same auditor for additional standards too. If an organization has already implemented ISO 9001, than it is possible to use the same process for the internal audit and there will be no need to generate a new document for ISO 27001 only. Moreover, the same auditor can conduct both internal audits if he/she has got the right experience and knowledge regarding all these standards along with average understanding on the subject of IT. It will also save your time to seek the services of a totally new person. Furthermore, it is a productive step to write an internal audit process and a checklist. A written procedure is not a mandatory step but it is recommended as it would make things clear by defining how the internal audit is conducted. Usually, the company employees are not very acquainted with internal audits; therefore it is useful to have a number of basic rules in written form.

Involvement of top management

The involvement of top management in internal audits holds imperative value. Their participation is essential from approving the process and employing the internal auditor, to agreeing on the audit program and going through the report of internal audit. Most importantly, these responsibilities must not be delegated to subordinate levels in the company hierarchy, as this could give rise to a conflict of interest for the internal auditor. Another main reason to do so is that some important information might remain hidden from the top management. Hence, it is the responsibility of the top management to make a careful choice that they will agree to take and support the procedure of internal audit for their business.

If you are looking to outsource your internal audit program for ISO 27001 or any other standards, then contact us for a free quote and consultation on how we can support your organization.

Request a free consultation

Contact us to discuss your needs and see how we can support to reach your goal.

Recent posts

How Can ISO 45001 Consultancy Support an Organisation
How Can ISO 45001 Consultancy Support an Organisation

ISO 45001 is an internationally recognised standard for occupational health and safety management systems. It provides a framework that organisations can use to manage and improve their OH&S performance, minimize...

Learn More
What is the ISO Certification Process
What is the ISO Certification Process

ISO (International Organisation for Standardisation) is an independent, non-governmental organisation that develops and publishes international standards for various industries and fields. The ISO certification process is a way for organisations...

Learn More
Benefits of Attending an ISO 9001 Auditor Training
Benefits of Attending an ISO 9001 Auditor Training

What is ISO 9001 ISO 9001 is the most widely used and recognised global standard for a Quality Management System (QMS). Its primary goal is to assist companies meet the...

Learn More

Just a Few of Our Clients

 Bellingham + Stanley
 Defence Science and Technology Laboratory
 Elemental Microanalysis

Request a Free Consultation

Contact us to discuss your needs and see how we can support to reach your goal.