• (0)

    ISO 27001 & ISO 22301 Blog

    Risk assessment vs. internal audit in ISO 27001 and ISO 22301

    Quite often I see people searching for ISO 27001 or ISO 22301 checklists for performing the internal audit; however, they expect those checklists to help them with, e.g., which information does the organization have, who has access to it, how is it protected, how confidential is it, etc.

    The problem is – these kinds of things are not part of an internal audit; this is part of the risk assessment.

    The purpose of risk assessment

    The purpose of risk assessment is to find out which problems can happen to your information and/or operations – that is, what can jeopardize the confidentiality, integrity and availability of your information, or what can threaten the continuity of your operations.

    As part of the risk assessment you have to do the following:

    • Identify all the risks related to your information
    • Identify the risk owners
    • Assess the impact and likelihood of risks
    • Determine the level of risks
    • Decide whether the risk needs to be treated or not

    Risk assessment is part of the risk management process, and is actually the crucial part of ISO 27001 and ISO 22301 implementation – see this article for explanation: The basic logic of ISO 27001: How does information security work?

    Consequently, risk assessment needs to be done at the beginning of the ISO 27001 project, while the internal audit is done only after the implementation has been completed. See also: How to organize initial risk assessment according to ISO 27001 and ISO 22301.

    How is internal audit different?

    The internal audit, on the other hand, is nothing more than listing all the rules and requirements and then finding out if those rules and requirements are complied with.

    Typically, rules and requirements are the following:

    When performing an internal audit, you need to check if each and every rule and requirement was complied with, in the whole scope of your information security management system or business continuity management system.

    This is done by using various techniques:

    • Examining all the documentation and records
    • Interviewing the employees
    • Personal observations (e.g., walking around the premises)

    See also: How to make an Internal Audit checklist for ISO 27001 / ISO 22301.

    The main differences between the two

    So, I would say that one of the main differences is in the mindset: risk assessment is thinking about the (potential) things that could happen in the future, while the internal audit is dealing with how things were done in the past.

    The second major difference is that the internal audit focuses on compliance with various rules and requirements, while risk assessment is nothing but analysis that provides a basis for building up certain rules.

    The third difference is that the risk assessment is done before you start applying the security controls, while the internal audit is performed once these are already implemented.

    I’m not saying that one is more important than the other – they are both crucial for building up your information security and/or business continuity. However, they do have one thing in common: they are both very often neglected in companies because they are perceived as only a bureaucratic exercise; but this is a topic for a different blog post…

    To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.