ISO 27001 Internal Audit: Everything You Need to Know

In a framework like ISO 27001, an internal audit isn’t a line item on a checklist—it’s more of a health check of the information security systems. The goal isn’t to pass or fail but to understand whether the systems are resilient and functioning as intended.

Designed to evaluate your organization just like an external auditor would, ISO 27001 internal audits encourage you towards continuous improvement and avoid any last-minute scrambles before stage 1 and 2 certification audits.In this article, you will learn about what an internal audit is, who can conduct it, when you should conduct it, and the steps involved in performing an internal audit.

What is an ISO 27001 Internal Audit?

An ISO 27001 internal audit is an internal review carried out by the organization to evaluate that the organization meets the requirements of the ISO 27001 standard and is prepared to undergo an external audit.

According to the ISO 27001 security and compliance glossary:

• Internal audits aren’t one-and-done audits. They must be performed before your ISO 27001 certification audit to ascertain if your organization is audit-ready and even after a successful certification (but before the recertification audit) to assess whether your Information Security Management System continues to meet the ISO 27001 standard.
• Internal audits can be conducted by an auditor within the organization or a third-party such as a consulting firm. The auditor must however present an impartial opinion and report on non-conformities to the senior management.

Note that ISO 27001 does not define how often an organization must conduct an internal audit.

What are ISO 27001 internal audit requirements?

The ISO 27001 internal audit requirements are laid down in clause 9.2 of the standard and are detailed and stringent. Clause 9.2(a) requires organizations to conduct internal audits at planned intervals and 9.2(b) advocates that the internal audit must conform to ISO 27001 requirements.

Here are five clauses you should be looking at as per ISO internal audit requirements:

Clause 9.2(c): Audit program

Clause interpretation: Organizations must plan, establish, implement, maintain, and continuously improve an audit program. The program must include audit frequency, methodology, roles and responsibilities, reporting procedures, and correct action implementation.

How to comply: To meet the requirement, organizations must:

• Create an internal audit schedule defining whether the internal audit will be conducted annually, biannually or quarterly and the areas to be audited.
• Define audit methodology whether risk-based, asset-based or proceed-based audits will be conducted.
• Appoint qualified and unbiased internal auditors
• Establish a reporting mechanism to report any non-conformities
• Implement an improvement program to incorporate corrective actions and track changes in ISMS.

Clause 9.2(d): Audit criteria and scope

Clause interpretation: Organizations must define the audit criteria and scope of each audit including the processes, areas, systems etc. to be included in each audit. 

How to comply: To meet the requirement, organizations must:

• Start specifying the relevant components such as IT systems, financial operations, and other areas that will be audited in each internal audit window.
• Create a plan on the methods to be used for evaluating the specifics such as interviews, observation, and tests.
• Assess and prioritize audit areas focusing on high-risk areas first and taking into account the resources available for audits.

Clause 9.2(e): Auditor selection and independence

Clause interpretation: Organizations must select independent internal auditors to ensure impartiality in the assessment. 

How to comply: To meet the requirement, organizations must:

• Appoint internal auditors who are not directly involved in designing or running the ISMS activities to prevent a biased opinion.
• Verify that the auditor is competent in terms of training, skills, and understanding of information security management.
• Create a formal document specifying which individuals are eligible or not eligible to perform internal audit processes and the reasons for their eligibility.

Clause 9.2(f): Reporting on audit results

Clause interpretation: The internal auditor must report the audit results to the management. All nonconformities and other findings must be reported along with recommendations for improvement.

How to comply: To meet the requirement, organizations must:

• Establish an audit result reporting process 
• Present audit findings to the executives during management review meetings conducted annually or frequently
• Include details on audit scope and findings while highlighting major non-conformities and recommendations for corrective action
• Document management response and track progress on remediation measures

Clause 9.2(g): Audit program and record retention

Clause interpretation: Organizations must retain the documents and evidence of the ISO 27001 internal audit plan implementation as well as the audit results. 

How to comply: To meet the requirement, organizations must:

• Ensure that the records are readily available when required while preserving their integrity.
• Maintain audit records such as copies of the internal audit plan, evidence of audit execution, and final audit report
• Establish and document record retention policies that clearly state how long the records should be retained along with the format
• Establish roles and responsibilities for managing these records
• Ensure that the records are readily available when required while preserving their integrity.

Who can perform an internal audit?

Internal audits can be conducted by your internal staff, an independent third-party auditor, or a ISO 27001 consulting firm. Unlike the ISO 27001 certification audits, you don’t need to employ accredited external auditors to conduct these audits. 

As per clause 9.2e of ISO 27001 standard, you must select an internal auditor who is objective and impartial. This means when you pick an internal resource to spearhead these audits, it’s good practice to ensure there isn’t any conflict of interest, that they weren’t involved in building the ISMS, and don’t operate or monitor any of the controls under audit. Why? It’s difficult to be objective and impartial when you review your own work! That said, pick a resource who is well-versed with the auditing procedures and the ISO standard.

An independent third-party resource is also a good option if you have the budget for it. They bring much value to the table owing to their years of experience in similar audits and eye for detail. Depending on your requirements and the pedigree of the external auditor (for example, Big4, or independent auditor), this could cost you roughly about $10k-$20K.

ISO 27001 internal audit process (Step by Step)

An ISO 27001 internal audit process requires defining the audit scope and extent and selecting an internal auditor for documentation review, field investigation and evidence analysis. Thereafter, the auditor compiles the report and recommends corrective action.

Here’s a 6step ISO 27001 internal audit process:

1. Define the scope of the internal audit

The internal auditor must start by outlining the boundaries of the audit and define systems that fall within the scope. It must include all functions, people, systems, etc. that will be examined under the audit to meet the compliance objectives. 

2. Conduct documentation review

The internal auditor will first review all your documented information – ISO 27001 Scope Statement, Statement of Applicability, Information Security Policies, Risk Assessments and Risk Treatment Plan, among others to ensure the audit scope is appropriately defined and covers the ISMS adequately.

• ISMS Scope statement: The document specifies the boundaries to which ISMS applies
• ISMS Statement of Applicability: The statement specifies the controls that have been selected and implemented and provides justification for the ones which aren’t applicable.
• Information security policy: The policy outlines the security goals of the organization and the SOPs in place to achieve them
• ISO 27001 risk assessment and risk treatment plans: The documents present the approach to identifying risks, the criteria for scoring them and the action plan for treatment
• Definition of responsibilities: The document outlines the roles and responsibilities of individuals in control implementation.
• Asset inventory and acceptable use: These documents consist of asset inventory and guidelines on fair use.

ISO 27001 lists numerous mandatory documents and records as well as some non-mandatory documents that are good to keep handy. It is good practice to identify and list the people who built, operated, or monitored the controls of your ISMS and assign them responsibilities for specific documents.

3. Conduct a management review 

The entire audit plan should be reviewed and approved by the management. It’s a good idea to set up regular meetings to establish expectations on the timeline and keep the communication channel open with the management.

The management must also review the internal audit report, and on discussion with the internal auditor, ascertain whether or not the organization is ready for the external ISO certification audit.

4. Field review

A field review is your internal audit assessment. After a documentation review, the auditor will evaluate your ISMS by performing audit tests, validating the evidence, documenting the tests and observations, and collecting evidence to showcase what’s working and what isn’t. The auditor will also conduct staff interviews to understand how they comply with the ISMS.  

Sprinto advantage: You can implement Sprinto to review the effectiveness of policies, processes and technical controls against ISO 27001. Sprinto enables you to run granular-level automated checks in real time, spot the gaps and initiate proactive responses.

5. Analysis

This step entails analyzing and reviewing the collected evidence and mapping it to the organization’s risk treatments and control objectives. Such analyses typically reveal control gaps, or the need to bolster your security posture or conduct more tests. 

Non-compliances are typically categorized as one of the following:

• Major nonconformity
• Minor nonconformity
• Opportunity for improvement

All issues or non-conformities discovered in the internal audit must be tracked, documented, analyzed, and remediated.

6. Internal audit reports

The auditor will present an internal audit report based on their observations and analyses. The audit report will comprise the audit’s scope, objectives, and extent. The report will detail the auditor’s observations on the ISMS and on the policies, procedures and security controls that work and those that don’t. 

Based on their audit findings and analyses, the auditor will present an internal audit report to the management. The report will contain the scope, objective and extent of the audit. It will also detail which policies, procedures and controls are working and which aren’t with evidence.

For instance, if your organization’s security policy talks about taking system backups once a day and the auditor doesn’t find the backup log corroborating this, they would mark it as a non-conformity. 

Outside of the key findings, the report also details corrective actions, recommendations, and remediations. As we mentioned, this report is presented to the management for further review and action plan.

Sprinto can help you set an audit window for internal audit and help you reach the >90% mark for ISO 27001 readiness in weeks rather than months. It enables continuous compliance checks at a granular level to bring your organization in the state of continuous compliance and achieve 100% audit success.

How to write an internal audit report for ISO 27001?

ISO 27001 is big on documentation. So, your internal audit report would be exhaustive in its coverage. 

Here are some elements to look for in your report:

Executive Summary

The executive summary comprises a birds eye view of the audit for the management. It is usually prepared by the ISO 27001 internal auditor without the use of technical jargon and consists of:

• A quick snapshot of the specific areas of the ISMS covered for the audit
• The most critical findings
• Recommendations or next steps to address the findings

Audit Plan

The audit plan comprises audit criteria and details of the auditor and includes:

• The scope of the audit including the departments, processes, people, locations etc, covered
• The name and details of the auditor
• Date, time and location of audit

Methodology

The Methodology section describes the techniques and tools used to carry out the internal audit. These can include interviews, observation, inspections and assessment of processes.

Findings

This section highlights the most impactful findings of the internal audit and consists of:

• All major observations along with the evidence supporting the observation
• Category of findings classified as major nonconformity, minor nonconformity and opportunity for improvement

Recommendations

The recommendations section includes corrective action suggestions to address the findings and bolster controls to prepare for an independent audit. It consists of actionable insights to improve the ISMS.

Planned closure date

The audit report also provides a deadline date remediating the gaps and other lapses. There is a section for management response where they can respond to the recommendations and assign responsibilities for corrective action implementation.

Why complete an internal ISMS audit?

Internal audits are a preventive measure to ensure you identify and remediate nonconformities and other security oversights before your certification audits. It’s a proactive approach that assures that your ISMS conforms to the requirements of the security standard. 

Here are some other compelling reasons why an internal ISMS audit must be taken seriously:

Objective evaluation

Internal audits provide objective and impartial insights into the functioning of your ISMS.

Discover non-conformities and oversights

Conducting internal audits helps you discover lapses, non-conformities, and oversights in your ISMS, policies, procedures, security controls, and other documentation.

Allow for time to remediate

It allows organizations the time to remediate the control gaps and nonconformities before their certification audits.

Continual improvement

Internal audits keep a tab on how the ISMS maintains compliance with the ISO standards and, therefore, makes allowance for continual improvement.

Management buy-in

Since the internal audit report is presented to the management, it demonstrates management buy-in and commitment to maintaining the organization’s infosec posture.

Employees’ participation and awareness

Internal audits bring to light how organizations efficiently communicate the various processes and procedures to their employees, and how well their security culture is entrenched in its people.

ISO 27001 internal audit planning template

If you are using an internal resource to conduct your internal audit, it’s a good idea to incentivize them to undergo ISO 27001 Lead Auditor training to make the entire process more effective.

Here’s a handy ISO 27001 Internal Audit template you can use:

Sprinto: The smart way to conduct an internal audit

We understand that ISO 27001 Compliance adds a lot of to-dos to your plate. And with a whole business to run, these can be one too many. 

Sprinto’s compliance automation platform is built to take the weight of complying with security frameworks such as ISO 27001, SOC 2, and PCI DSS, to name a few, off your shoulders. The platform has compliance checklists, risk assessment frameworks, readiness assessments, management reviews, and evidence collection intuitively embedded within it. Sprinto performs a continuous internal audit of your ISMS and shares the’ live status’ of checks with your key stakeholders.

As a result, you spend only a few hours every week to get your organization audit ready. And if and when you hit a roadblock, you have Sprinto’s in-house compliance experts just a call away.  

FAQs

Here are some oft-asked questions outside of what we have already discussed in the blog that you may find useful.

What are the different audit categories for ISO 27001?

The different audit categories for ISO 27001 are certification audit (or stage 1 and stage 2 audit), internal audit, surveillance audit and recertification audit.

What is the scope of ISO 27001 internal audit?

The scope of ISO 27001 internal audit can include the entire ISMS or selected processes depending upon the organizational needs, complexity and compliance levels.

What are some documents needed for ISO 27001 internal audit?

An ISO 27001 internal audit documentation will require an information security policy along with ISMS scope statement, statement of applicability, risk assessment and treatment methodology and other evidence documents for showcasing effective ISMS implementation.

How often should an ISO 27001 internal audit be conducted?

ISO 27001 says that internal audits must be conducted at ‘planned intervals,’ but the recommended best practice is at least once a year. For high-risk areas, the audit may be conducted bi-annually or even quarterly. In case of significant changes or major incidents, an ad hoc internal audit may be required.

What are some common non-conformities found in an internal audit?

Some common non-conformities found in an internal audit include:

• Missing documentation
• Incomplete or outdated risk assessments and treatment plans
• Lack of training records
• Management review gaps
• Incident management deficiencies