ISO 27001 & ISO 22301 Blog

7 ways to improve the internal audits of your ISO 27001 ISMS

ISO 27001:2013 states that the purpose of the internal audit is to check compliance against both “the organization’s own requirements … and the requirements of this International Standard.”

Aside from being a necessity of the standard, internal audits are important for several other reasons:

  • Internal audits identify and rectify any issues before an external certification audit is carried out.
  • Internal audits identify opportunities for improvement.
  • Performing regular internal audits provides reassurance to the organization and the certification body that you are continuously reviewing the Information Security Management System (ISMS).
  • Internal audits serve as a reminder to staff that compliance with requirements is a business priority.

7 tips to make your internal audits more effective

Based on my experience, I have provided seven tips you can implement to effectively audit your Information Security Management System:

1) It’s a marathon, not a sprint. There are 114 controls in Annex A, so don’t expect a quick audit if you want to do it properly. Set aside sufficient time to audit the area fully. There is no rule for the time you allocate, and it is dependent on several different factors including the maturity of your ISMS, your organization size, and the number of findings identified in the previous audit.

2) Share audit responsibilities amongst auditors. It can be effective to split the controls between auditors with different skillsets and strengths. For example, Amy the Auditor may be responsible for auditing IT-oriented processes:

  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operational security
  • A.13 Communications security
  • A.14 System acquisition, development and maintenance

And, Andrew the Auditor may be responsible for more general requirements:

  • A.5 Information security policies
  • A.6 Organization of information security
  • A.7 Human resources security
  • A.8 Asset management
  • A.15 Supplier relationships
  • A.16 Information security incident management
  • A.17 Information security aspects of business continuity management
  • A.18 Compliance

Find out more about the controls that make up Annex A in this article: Overview of ISO 27001:2013 Annex A.

3) Failing to prepare is preparing to fail. As with all audits, preparation is key. Before the audit, you should:

  • Ensure that you have access to all required information, such as previous audit findings, procedures, and policies. The Statement of Applicability (SOA) is vital for this particular audit.
  • Prepare an audit checklist (this will be used to carry out the audit and will be aligned with the procedures and policies).
  • Prepare an audit plan (this will include times, departments, and locations and should be provided to auditees ahead of the audit).
  • Schedule time with auditees, time to compile your report, and a follow-up meeting with department representatives.
  • Most importantly, have an in-depth understanding of what is required from Annex A and by the organization.

It is crucial that you communicate the audit plan and session objectives in advance. No one likes a surprise, and it is not a good way to begin an audit.

Learn more about the steps involved in the audit by reading this article: How to make an Internal Audit checklist for ISO 27001 / ISO 22301.

4) Involve all departments. All members of your organization are responsible for maintaining information security, so cover as many departments in your scope as possible. All staff should be following some security requirements (for example, Teleworking, Confidentiality, and Clear Desk and Screen Policy), whereas other departments have specific roles within the ISMS. For example:

  • Human Resources – HR has defined responsibility in ensuring employee confidentiality is maintained (have they incorporated the Information Security Manager’s advice into staff contracts?). This also applies to the disciplinary process. The Information Security team may be responsible for defining guidelines, but it is HR’s responsibility to enforce it.
  • Technical / IT teams – The Technical and IT teams have the greatest input in the information security system.  Ensure that they are carrying out activities such as performing and testing data backups, implementing network security measures, and carrying out system patching.
  • Customer-facing team – Customer-facing staff need to maintain customer confidentiality at all times.

5) Audit auditees’ understanding of the purpose of the ISMS, as well as compliance. If something isn’t being done, is this due to unclear task delegation, or a lack of understanding of the processes and policies? Checking that auditees understand the significance of information security should be a key part of your audit. Audits often present training and awareness opportunities.

6) Provide constructive feedback. An audit isn’t a witch hunt; therefore, it is important that all findings are constructive in improving the Information Security Management System. Feedback can be provided at various points throughout the audit, such as directly to the auditee during the audit, and at the closing meeting. A crucial way to provide feedback after completing your audit is by preparing the report. Once you have prepared your report, it is crucial to share your findings with the department representatives and answer any queries that they may have.

7) Action your findings. Finally, an audit wouldn’t be effective without actioning your findings. Ensure that once findings are agreed upon with the department representatives, that they are logged for corrective action, and that follow-up on the effectiveness of the action performed is scheduled.

The importance of auditing ISO 27001 controls

Internal audits are essential, both as part of meeting the requirements of the ISO 27001 standard, as well as to facilitate improvements to your own information security processes. Internal audits are one of the key components for ISO 27001 implementation success, and therefore, it is crucial that they are carried out regularly – and, more importantly – carried out effectively. Being prepared will ensure that you get the answers you need, and ultimately meet your audit objectives.

Learn how to perform an internal audit in this free online training ISO 27001 Internal Auditor Online Course.