A Step-by-Step Guide to Conducting an ISO 27001 Internal Audit

.
ISO 27001 internal audit

It isn’t uncommon to feel like a bag of nerves before ISO 27001 certification audits. After all, you have spent much time, energy, and money on getting audit-ready and certified. You want to ace any subsequent audits with flying colors. So, you have checked everything, and then double-checked them all. But how can you know what you don’t know? Enter internal audits. Designed to evaluate your organization just like an external auditor would, internal audits are your answer to knowing you genuinely are audit-ready.

In this article, you will learn about what an internal audit is, who can conduct it, when you should conduct it, and the steps involved in performing an internal audit.

TLDR: If you plan to conduct your internal audit with an internal resource, head to the section titled ISO 27001 Internal Audit Plan Template for a downloadable ready-to-use template. And for a smarter, price-competent, and more effective option, look up the last section.

What is an ISO 27001 Internal Audit?

The ISO 27001 internal audit is much like a dress rehearsal before the main certification audit by an external auditor. ISO/IEC 27001:2013 requires organizations to conduct internal audits at planned intervals. Internal audits evaluate whether an organization’s Information Security Management System (ISMS) conforms to its security requirements and the ISO standard. In other words, they help identify gaps or deficiencies that can impact your organization’s ISMS, and its ability to meet the intended information security objectives.

Internal audits aren’t one-and-done audits. They must be performed before your ISO 27001 certification audit to ascertain if your organization is audit-ready and even after a successful certification (but before your recertification audit) to assess whether your Information Security Management System continues to meet the ISO 27001 standard.

Clause 9.2 of the ISO/IEC 27001 standard lays out the internal audit requirements. It requires internal audits:

  • To be at planned intervals
  • Define audit criteria and scope for each audit, and consider results of previous audits
  • Select auditors such that objectivity and the impartiality of the audit process are maintained
  • Ensure audit results and observations get reported to the management
  • Maintain documentation every step of the audit

ISO 27001 Internal Audits

Note that ISO 27001 does not define how often an organisation must conduct an internal audit.

Who can perform an Internal Audit?

Internal audits can be conducted by your internal staff, an independent third-party auditor, or a consulting firm. Unlike the ISO 27001 certification audits, you don’t need to employ accredited external auditors to conduct these audits. 

As per clause 9.2e of ISO 27001 standard, you must select an internal auditor who is objective and impartial. This means when you pick an internal resource to spearhead these audits, it’s good practice to ensure there isn’t any conflict of interest, that they weren’t involved in building the ISMS, and don’t operate or monitor any of the controls under audit. Why? It’s difficult to be objective and impartial when you review your own work! That said, pick a resource who is well-versed with the auditing procedures and the ISO standard.

internal audit iso 27001

An independent, third-party resource is also a good option if you have the budget for it. They bring much value to the table owing to their years of experience in similar audits and eye for detail. Depending on your requirements and the pedigree of the external auditor (for example, Big4, or independent auditor), this could cost you roughly about $10k-$20K.

Why complete an Internal ISMS Audit?

Internal audits are a preventive measure to ensure you identify and remediate nonconformities and other security oversights before your certification audits. It’s a proactive approach that provides assurance that your ISMS conforms to the requirements of the security standard. 

Here are some other compelling reasons why an internal ISMS audit must be taken seriously:

Benefits of ISO 27001 Internal Audit

Objective Evaluation

Internal audits provide objective and impartial insights into the functioning of your ISMS.

Discover Nonconformities & Oversights

Conducting internal audits helps you discover lapses, nonconformities, and oversights in your ISMS, policies, procedures, security controls, and other documentation.

Allow for time to Remediate

It allows organizations the time to remediate the control gaps and nonconformities before their certification audits.

Continual Improvement

Internal audits keep a tab on how the ISMS maintains compliance with the ISO standards and, therefore, makes allowance for continual improvement.

Management Buy-in

Since the internal audit report is presented to the management, it demonstrates management buy-in and commitment to maintaining the organization’s infosec posture.

Employees’ Participation & Awareness

Internal audits bring to light how organizations efficiently communicate the various processes and procedures to their employees, and how well their security culture is entrenched in its people.

What are the steps in ISO 27001 Internal Audit?

Before conducting an internal audit, it is important to define the audit criteria and scope for each audit. Your organization’s information assets, systems, processes, locations, people, products, and services, to name a few, might come under the audit scope.

Let’s go through the internal audit process step-by-step, assuming you have an internal auditor in place.

ISO 27001 Internal Audit Steps

Step 1: Documentation Review

The internal auditor will first review all your documented information – ISO 27001 Scope Statement, Statement of Applicability, Information Security Policies, Risk Assessments and Risk Treatment Plan, among others to ensure the audit scope is appropriately defined and covers the ISMS adequately.

Documentation review will also help the internal auditor evaluate whether the controls to the ISO standard have been deployed well. 

It’s a good practice to identify and list the people who built, operate or monitor the controls of your ISMS. Control owners can help answer the queries the internal auditor might raise.

Step 2: Management Review

The entire audit plan should be reviewed and approved by the management. It’s a good idea to set up regular meetings to establish expectations on timeline and keep the communication channel open with the management.

The management must also review the internal audit report, and on discussion with the internal auditor, ascertain whether or not the organization is ready for the external ISO certification audit.

Step 3: Field Review

A field review is your internal audit assessment. After a documentation review, the auditor will evaluate your ISMS by performing audit tests, validating the evidence, documenting the tests and observations, and collecting evidence to showcase what’s working and what isn’t. The auditor will also conduct staff interviews to understand how they comply with the ISMS.  

Step 4: Analysis

This step entails analyzing and reviewing the collected evidence and mapping it to the organization’s risk treatments and control objectives. Such analyses typically reveal control gaps, or the need to bolster your security posture or conduct more tests. 

Noncompliances are typically categorized as one of the following:

  • Major nonconformity
  • Minor nonconformity
  • Opportunity for improvement

All issues or non-conformities discovered in the internal audit must be tracked, documented, analyzed, and remediated.

Step 5: Internal Audit Reports

The auditor will present an internal audit report based on their observations and analyses. The audit report will comprise the audit’s scope, objectives, and extent. The report will detail the auditor’s observations on the ISMS and on the policies, procedures and security controls that work and those that don’t. 

Based on their audit findings and analyses, the auditor will present an internal audit report to the management. The report will contain the scope, objective and extent of the audit. It will also detail which policies, procedures and controls are working and which aren’t with evidence.

For instance, if your organization’s security policy talks about taking system backups once a day and the auditor doesn’t find the backup log corroborating this, they would mark it as a non-conformity. 

Outside of the key findings, the report also details corrective actions, recommendations, and remediations. As we mentioned, this report is presented to the management for further review and action plan.

ISO 27001 Internal Audit Plan Template

If you are using an internal resource to conduct your internal audit, its a good idea to incentivize them to undergo ISO 27001 Lead Auditor training to make the entire process more effective.

Here’s a handy ISO 27001 Internal Audit template you can use.

Download your ISO 27001 Internal Audit Template

ISO 27001 Internal Audit FAQ

Here are some oft-asked questions outside of what we have already discussed in the blog that you may find useful.

How to avoid common ISO 27001 Internal Audit Mistakes

Here are some guidelines to keep in mind before the internal audit: is conducting the audit:

  • Ensure you have allocated sufficient time and resources towards internal audit; keep a time limit.
  • Communicate to management and staff regarding audit schedule and management review ahead of time
  • Select competent auditors to conduct the internal audit
  • Avoid conflict of interest between the auditor and the ISMS
  • Give internal audits their due importance; it isn’t a ‘checkbox’ initiative.
  • Conduct periodic and planned audits 
  • Reduce high dependency on key personnel by having designated backups

How to write an Internal Audit Report for ISO 27001?

ISO 27001 is big on documentation. So, your internal audit report would be exhaustive in its coverage. Here are some elements to look for in your report:

ISO 27001 Internal Audit Report

Executive Summary

Remember that the management will read the internal audit report. So, ensure there’s a neat summary that makes for an easy and quick read.

Audit Plan

This section will describe the audit scope, details of the auditor and other specifics such as name and place.

Findings

You can find all relevant observations around the ISMS in this section.

Category of Findings

In this section, the findings will be qualified (where relevant) by classifying them as major nonconformity, minor nonconformity, and opportunity for improvement.

Recommendations

Recommendations and action plan on mapping the ISMS clause and controls to remediate control gaps or bolster it makes the cut in this section.

Planned Closure Date

The audit report will also give a deadline date for remediating the gaps and other lapses.

The Smart Way to Conduct an Internal Audit

We understand that ISO 27001 adds a lot of ToDos to your plate. And with a whole business to run, these additional Todos can be one too many. 

Sprinto’s compliance automation platform is built to take the weight of complying with security frameworks such as ISO 27001, SOC 2, PCI DSS, to name a few, off your shoulders. The platform has compliance checklists, risk assessment frameworks, readiness assessments, management review, and evidence collection intuitively embedded within it. Sprinto performs a continuous internal audit of your ISMS and shares the’ live status’ of checks with your key stakeholders.

As a result, you spend only a few hours every week to get your organization audit ready. And if and when you hit a roadblock, you have Sprinto’s in-house compliance experts just a call away.  

Talk to us to kickstart your compliance journey.

See Sprinto in action

Signup for an event/ podcast/webinar

Similar blogs

Succeed with Sprinto

The gold standard in security compliance

Hundreds of fast-growing cloud companies trust Sprinto with security compliances and audits.

Integration-first

Automation-enabled

Audit-aligned

Learn how Sprinto makes compliance easy as can be