For an Information Security Management System (ISMS) one of the basic functions is a periodic internal audit of the ISMS conducted independently aligned with the requisites of the ISO IEC 27001:2013 (ISO 27001) standard. According to the section 9 of the management requirements for ISO 27001:2013 the objective of the internal audit is the assessment of performance. To be brief, the internal audit is one of the programs that show if your ISMS are credible and its performance according to the desired expectations. Most likely, the internal audit seems to be an overhead expense at initial stages. On the other hand, internal audits can facilitate in determining problems such as nonconformities that would remain unknown otherwise and for that reason damage your business.
Conducting an ISO 27001 Internal Audit
For conducting an ISO 27001 Internal Audit we have three options.
- First option is to get the services of a full-time internal auditor. However, it must be kept in mind that this option is appropriate for larger organizations only as they would have an adequate amount of work for a full-time person.
- The second option is to avail the services of part-time internal auditors. This situation can be observed in majority of the cases as many organizations use the services of their own employees in order to perform internal audits and they do so when necessary such as, a couple of times per year together with their routine jobs. It is important to consider one point which is of paramount value: if we want to avoid any sort of conflict of interest there must be two internal auditors as a minimum so that they could review the regular work of each other because auditors cannot check their own work.
- Now the third option for conducting an ISO 27001 internal audit is to hire the services of a person outside of the organization as an ISO 27001 internal auditor. Even though this person is not employed in the organization, still it will be considered as an internal audit for the reason that the audit is conducted by the organization itself, consistent with its own rules. Generally, this is performed by such a person who has special expertise in this field like an independent consultant. Often using an ISO 27001 consultant can be an advantage due to their experience and expertise, compared to an internal employee who is only conducting audits a few time a year.
In addition to that, depending on whether an organization has already implemented ISO 9001 or any other standard of ISO management, and the profile of internal auditor it has, there are different choices for conducting an efficient ISO 27001 internal audit. An organization can conduct one audit or a series of audits over the year. For a small company, it will be quite enough to conduct a single audit during the period of one-year. However, for a large organization, it might consider to plan an audit being conducted in one department in January, in a different department in February, and so on.
An important consideration is to use the similar rules and same auditor for additional standards too. If an organization has already implemented ISO 9001, than it is possible to use the same process for the internal audit and there will be no need to generate a new document for ISO 27001 only. Moreover, the same auditor can conduct both internal audits if he/she has got the right experience and knowledge regarding all these standards along with average understanding on the subject of IT. It will also save your time to seek the services of a totally new person. Furthermore, it is a productive step to write an internal audit process and a checklist. A written procedure is not a mandatory step but it is recommended as it would make things clear by defining how the internal audit is conducted. Usually, the company employees are not very acquainted with internal audits; therefore it is useful to have a number of basic rules in written form.
Involvement of top management
The involvement of top management in internal audits holds imperative value. Their participation is essential from approving the process and employing the internal auditor, to agreeing on the audit program and going through the report of internal audit. Most importantly, these responsibilities must not be delegated to subordinate levels in the company hierarchy, as this could give rise to a conflict of interest for the internal auditor. Another main reason to do so is that some important information might remain hidden from the top management. Hence, it is the responsibility of the top management to make a careful choice that they will agree to take and support the procedure of internal audit for their business.