A Complete Guide to an ISO 27001 Internal Audit

It isn’t uncommon to experience apprehension before the final ISO 27001  audit. After all, you have spent much time, energy, and money on getting audit-ready and certified. You want to ace any subsequent audits with flying colors. And that is why you need meticulous scrutiny for reviewing all processes and documentation beforehand.

Enter ISO 27001 internal audits. Designed to evaluate your organization just like an external auditor would, internal audits are your answer to knowing you genuinely are audit-ready.

In this article, you will learn about what an internal audit is, who can conduct it, when you should conduct it, and the steps involved in performing an internal audit.

What is an ISO 27001 Internal Audit?

An ISO 27001 internal audit, carried out by an organization’s internal team, involves examining its Information Security Management System (ISMS) to confirm compliance with the standard and preparing for subsequent ISO 27001 audit by external auditors.

According to the ISO 27001 security and compliance glossary:

• Internal audits aren’t one-and-done audits. They must be performed before your ISO 27001 certification audit to ascertain if your organization is audit-ready and even after a successful certification (but before the recertification audit) to assess whether your Information Security Management System continues to meet the ISO 27001 standard.
• Internal audits can be conducted by an auditor within the organization or a third-party such as a consulting firm. The auditor must however present an impartial opinion and report on non-conformities to the senior management.

Note that ISO 27001 does not define how often an organization must conduct an internal audit.

What are ISO 27001 internal audit requirements?

The ISO 27001 internal audit requirements are laid down in clause 9.2 of the standard and are detailed and stringent. Clause 9.2(a) requires organizations to conduct internal audits at planned intervals and 9.2(b) advocates that the internal audit must conform to ISO 27001 requirements.

Here are five clauses you should be looking at as per ISO internal audit requirements:

Clause 9.2(c): Audit program

Organizations must plan, establish, implement, maintain, and continuously improve an audit program. The program must include the frequency at which internal audits will be conducted, the methodology to be used and the roles and responsibilities of stakeholders carrying out the audit. Organizations also need to implement reporting mechanisms and procedures for corrective actions.

Clause 9.2(d): Audit criteria and scope

Organizations must define the audit criteria and scope of each audit including the processes, areas, systems etc. to be included in each audit. For each periodic audit you plan, it is important to document what you are going to evaluate and how you will do it. It is crucial to take a risk-based approach and consider the available resources when planning internal audits.

Clause 9.2(e): Auditor selection and independence

Organizations must select independent internal auditors to ensure impartiality in the assessment. This means that individuals directly involved in designing or running the ISMS activities must not be appointed to prevent a biased opinion. The selected auditor must however be competent and possess a good understanding of information security management.

Clause 9.2(f): Reporting on audit results

The internal auditor must report the audit results to the management. This can be done during the management review that is conducted at least once a year. All nonconformities and other findings must be reported along with recommendations for improvement. The management will then respond to the findings and make decisions accordingly.

Clause 9.2(g): Audit program and record retention

Organizations must retain the documents and evidence of the ISO 27001 internal audit plan implementation as well as the audit results. The record retention policies must also be defined and documented by the ISMS owners.

Here’s a complete guide to ISO 27001 requirements

Who can perform an internal audit?

Internal audits can be conducted by your internal staff, an independent third-party auditor, or a ISO 27001 consulting firm. Unlike the ISO 27001 certification audits, you don’t need to employ accredited external auditors to conduct these audits. 

As per clause 9.2e of ISO 27001 standard, you must select an internal auditor who is objective and impartial. This means when you pick an internal resource to spearhead these audits, it’s good practice to ensure there isn’t any conflict of interest, that they weren’t involved in building the ISMS, and don’t operate or monitor any of the controls under audit. Why? It’s difficult to be objective and impartial when you review your own work! That said, pick a resource who is well-versed with the auditing procedures and the ISO standard.

An independent third-party resource is also a good option if you have the budget for it. They bring much value to the table owing to their years of experience in similar audits and eye for detail. Depending on your requirements and the pedigree of the external auditor (for example, Big4, or independent auditor), this could cost you roughly about $10k-$20K.

ISO 27001 internal audit process (Step by Step)

An ISO 27001 internal audit process requires defining the audit scope and extent and selecting an internal auditor for documentation review, field investigation and evidence analysis. Thereafter, the auditor compiles the report and recommends corrective action.

Here’s a 6step ISO 27001 internal audit process:

1. Define the scope of the internal audit

The internal auditor must start by outlining the boundaries of the audit and define systems that fall within the scope. It must include all functions, people, systems, etc. that will be examined under the audit to meet the compliance objectives. 

2. Conduct documentation review

The internal auditor will first review all your documented information – ISO 27001 Scope Statement, Statement of Applicability, Information Security Policies, Risk Assessments and Risk Treatment Plan, among others to ensure the audit scope is appropriately defined and covers the ISMS adequately.

• ISMS Scope statement: The document specifies the boundaries to which ISMS applies
• ISMS Statement of Applicability: The statement specifies the controls that have been selected and implemented and provides justification for the ones which aren’t applicable.
• Information security policy: The policy outlines the security goals of the organization and the SOPs in place to achieve them
• ISO 27001 risk assessment and risk treatment plans: The documents present the approach to identifying risks, the criteria for scoring them and the action plan for treatment
• Definition of responsibilities: The document outlines the roles and responsibilities of individuals in control implementation.
• Asset inventory and acceptable use: These documents consist of asset inventory and guidelines on fair use.

It’s a good practice to identify and list the people who built, operate or monitor the controls of your ISMS. Control owners can help answer the queries the internal auditor might raise.

Learn more about ISO 27001 documents here

3. Conduct a management review 

The entire audit plan should be reviewed and approved by the management. It’s a good idea to set up regular meetings to establish expectations on the timeline and keep the communication channel open with the management.

The management must also review the internal audit report, and on discussion with the internal auditor, ascertain whether or not the organization is ready for the external ISO certification audit.

4. Field review

A field review is your internal audit assessment. After a documentation review, the auditor will evaluate your ISMS by performing audit tests, validating the evidence, documenting the tests and observations, and collecting evidence to showcase what’s working and what isn’t. The auditor will also conduct staff interviews to understand how they comply with the ISMS.  

Sprinto advantage: You can implement Sprinto to review the effectiveness of policies, processes and technical controls against ISO 27001. Sprinto enables you to run granular-level automated checks in real time, spot the gaps and initiate proactive responses.

5. Analysis

This step entails analyzing and reviewing the collected evidence and mapping it to the organization’s risk treatments and control objectives. Such analyses typically reveal control gaps, or the need to bolster your security posture or conduct more tests. 

Non-compliances are typically categorized as one of the following:

• Major nonconformity
• Minor nonconformity
• Opportunity for improvement

All issues or non-conformities discovered in the internal audit must be tracked, documented, analyzed, and remediated.

6. Internal audit reports

The auditor will present an internal audit report based on their observations and analyses. The audit report will comprise the audit’s scope, objectives, and extent. The report will detail the auditor’s observations on the ISMS and on the policies, procedures and security controls that work and those that don’t. 

Based on their audit findings and analyses, the auditor will present an internal audit report to the management. The report will contain the scope, objective and extent of the audit. It will also detail which policies, procedures and controls are working and which aren’t with evidence.

For instance, if your organization’s security policy talks about taking system backups once a day and the auditor doesn’t find the backup log corroborating this, they would mark it as a non-conformity. 

Outside of the key findings, the report also details corrective actions, recommendations, and remediations. As we mentioned, this report is presented to the management for further review and action plan.

Sprinto can help you set an audit window for internal audit and help you reach the >90% mark for ISO 27001 readiness in weeks rather than months. It enables continuous compliance checks at a granular level to bring your organization in the state of continuous compliance and achieve 100% audit success.

How to write an internal audit report for ISO 27001?

ISO 27001 is big on documentation. So, your internal audit report would be exhaustive in its coverage. 

Here are some elements to look for in your report:

Executive Summary

The executive summary comprises a birds eye view of the audit for the management. It is usually prepared by the ISO 27001 internal auditor without the use of technical jargon and consists of:

• A quick snapshot of the specific areas of the ISMS covered for the audit
• The most critical findings
• Recommendations or next steps to address the findings

Audit Plan

The audit plan comprises audit criteria and details of the auditor and includes:

• The scope of the audit including the departments, processes, people, locations etc, covered
• The name and details of the auditor
• Date, time and location of audit

Methodology

The Methodology section describes the techniques and tools used to carry out the internal audit. These can include interviews, observation, inspections and assessment of processes.

Findings

This section highlights the most impactful findings of the internal audit and consists of:

• All major observations along with the evidence supporting the observation
• Category of findings classified as major nonconformity, minor nonconformity and opportunity for improvement

Recommendations

The recommendations section includes corrective action suggestions to address the findings and bolster controls to prepare for an independent audit. It consists of actionable insights to improve the ISMS.

Planned closure date

The audit report also provides a deadline date remediating the gaps and other lapses. There is a section for management response where they can respond to the recommendations and assign responsibilities for corrective action implementation.

Why complete an internal ISMS audit?

Internal audits are a preventive measure to ensure you identify and remediate nonconformities and other security oversights before your certification audits. It’s a proactive approach that assures that your ISMS conforms to the requirements of the security standard. 

Here are some other compelling reasons why an internal ISMS audit must be taken seriously:

Objective evaluation

Internal audits provide objective and impartial insights into the functioning of your ISMS.

Discover non-conformities and oversights

Conducting internal audits helps you discover lapses, non-conformities, and oversights in your ISMS, policies, procedures, security controls, and other documentation.

Allow for time to remediate

It allows organizations the time to remediate the control gaps and nonconformities before their certification audits.

Continual improvement

Internal audits keep a tab on how the ISMS maintains compliance with the ISO standards and, therefore, makes allowance for continual improvement.

Management buy-in

Since the internal audit report is presented to the management, it demonstrates management buy-in and commitment to maintaining the organization’s infosec posture.

Employees’ participation and awareness

Internal audits bring to light how organizations efficiently communicate the various processes and procedures to their employees, and how well their security culture is entrenched in its people.

ISO 27001 internal audit planning template

If you are using an internal resource to conduct your internal audit, it’s a good idea to incentivize them to undergo ISO 27001 Lead Auditor training to make the entire process more effective.

Here’s a handy ISO 27001 Internal Audit template you can use:

Sprinto: The smart way to conduct an internal audit

We understand that ISO 27001 Compliance adds a lot of to-dos to your plate. And with a whole business to run, these can be one too many. 

Sprinto’s compliance automation platform is built to take the weight of complying with security frameworks such as ISO 27001, SOC 2, and PCI DSS, to name a few, off your shoulders. The platform has compliance checklists, risk assessment frameworks, readiness assessments, management reviews, and evidence collection intuitively embedded within it. Sprinto performs a continuous internal audit of your ISMS and shares the’ live status’ of checks with your key stakeholders.

As a result, you spend only a few hours every week to get your organization audit ready. And if and when you hit a roadblock, you have Sprinto’s in-house compliance experts just a call away.  

ISO 27001 internal audit FAQs

Here are some oft-asked questions outside of what we have already discussed in the blog that you may find useful.

What are the different audit categories for ISO 27001?

The different audit categories for ISO 27001 are certification audit (or stage 1 and stage 2 audit), internal audit, surveillance audit and recertification audit.

What is the scope of ISO 27001 internal audit?

The scope of ISO 27001 internal audit can include the entire ISMS or selected processes depending upon the organizational needs, complexity and compliance levels.

What are some documents needed for ISO 27001 internal audit?

An ISO 27001 internal audit documentation will require an information security policy along with ISMS scope statement, statement of applicability, risk assessment and treatment methodology and other evidence documents for showcasing effective ISMS implementation.