ISO 27001 internal audit: The complete guide

Dejan Kosutic

If you are planning to implement ISO 27001 for the first time, you are probably puzzled by the complexity of the standard and what you should check out during the audit. So, you’re probably looking for some kind of a checklist to help you with this task. This article will explain all the steps that you need to take during the internal audit, and what documentation you need to prepare.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit is an activity for improving the way your information security management system (ISMS) is managed in your company. It can enable you to discover problems (i.e., ISO 27001 nonconformities) that would otherwise stay hidden and would therefore harm your business, and it is the key source of information for the management review. Through an ISO 27001 internal audit, employee awareness is raised regarding issues in your ISMS, as well as their participation in improving the management system.

Who can perform an ISO 27001 internal audit?

There are a few options when determining who will perform an internal audit:

• Employ a full-time internal auditor. This is suitable only for larger organizations that would have enough work for such a person (some types of organizations – e.g., banks – are required by law to have such functions).
• Employ part-time internal auditors. This is the most common situation – the organization uses its own employees to perform internal audits, who do so when required (e.g., a couple of times a year) alongside their regular work. One important thing to pay attention to is this: In order to avoid any conflict of interest (auditors cannot audit their own work), there should be at least two internal auditors so that each could audit the regular job of the other. See also: Qualifications for an ISO 27001 Internal Auditor.
• Employ an internal auditor from outside of the organization. Although this is not a person employed in the organization, it is still considered an internal audit because the audit is performed by the organization itself, according to its own rules. Usually, this is done by a person who is knowledgeable in this field (an independent consultant or similar).

Learn how to perform an internal audit in this free online training: ISO 27001 Internal Auditor Online Course.

How often to conduct an internal audit

ISO 27001 doesn’t specify how often your company needs to conduct an internal audit, but it needs to be performed at least once a year.

How to prepare for an ISO 27001 internal audit

Many people simply rush in to prepare a checklist and perform the ISO 27001 internal audit, thinking that the sooner this “needless” job is done, the better. But such a rush will only create problems and make the internal audit longer than necessary.

You should study the legislation, because some industries (e.g., finance) have special rules regarding internal audits. Depending on whether you have already implemented ISO 9001 (or some other ISO management standard), and which type of internal auditor you have, you have some options:

• Perform one audit or a series of audits throughout the year. If yours is a small company, a single audit during the one-year period will be enough; however, if yours is a large company, you might want to plan to perform an audit in one department in January, in another department in February, etc.
• Use the same rules and the same auditor for other standards as well. If you already implemented ISO 9001, you could actually use the same Internal Audit Procedure – you don't need to create a new document just for ISO 27001. Further, the same auditor can perform internal audits for all those systems at the same time – if such person has knowledge of all these standards, and has average knowledge about IT, he or she will be perfectly capable of doing a so-called integrated internal audit, thereby saving time for everyone.
• Write an internal audit procedure and a checklist, or not. A written procedure that would define how the internal audit is performed is not mandatory; however, it is certainly recommended. Normally, the employees are not very familiar with internal audits, so it is a good thing to have some basic rules written down – unless, of course, auditing is something you do on a daily basis. It’s the same with the internal audit checklist – it is not mandatory, but is certainly useful for beginners.

Required internal audit documentation

• Internal Audit Procedure (not mandatory) – this procedure defines the basic rules for performing the audit: how to select the auditors, how the audits are planned, the elements of conducting the audit, the follow-up activities, and how to report from the audits.
• Annual Internal Audit Program (mandatory) – this is where audits are planned at the annual level, including their criteria and scope.
• Internal Audit Checklist (not mandatory) – this is a checklist that helps prevent the internal auditor from forgetting anything during the internal audit.
• Internal Audit Report (mandatory) – this is where the internal auditor will report on the nonconformities and other findings.

ISO 27001 Internal Audit Procedure template

Here you can see a fragment of the ISO 27001 document template for Internal Audit Procedure.

And this is what the ISO 27001 Internal Audit Checklist template looks like.

Making the ISO 27001 audit checklist usable for beginners

Developing your checklist will depend primarily on the specific requirements in your policies and procedures.

But if you are new to the ISO world, you might also add to your checklist some basic requirements of ISO 27001 so that you feel more comfortable when you start with your first audit:

• First, you have to get the standard itself.
• Then, the technique is rather simple – you have to read the standard clause by clause and write notes in your checklist on what to look for.

By the way, ISO standards are rather difficult to read – therefore, it would be most helpful if you could attend some kind of training, because this way you will learn about the standard in the most effective way. Click here to see a list of ISO 27001 courses.

What to include in your checklist

Normally, the checklist for internal audit according to ISO 27001 would contain four columns:

• Reference – e.g., the clause number in the standard, or section number of a policy, etc.
• What to look for – this is where you write what it is you would be looking for during the main audit – whom to speak to, which questions to ask, what records to look for, which facilities to visit, which equipment to check, etc.
• Compliance – you fill in this column during the main audit, and this is where you conclude whether or not the company has complied with the requirement. In most cases, this will be Yes or No, but sometimes it might be Not applicable.
• Findings – this is the column where you write down what you have found during the main audit – names of persons you spoke to, quotes of what they said, IDs and content of records you examined, description of facilities you visited, observations about the equipment you checked, etc.

The steps in the ISO 27001 audit

Let’s see which steps you need to take during the ISO 27001 internal audit. By the way, these steps are applicable for an internal audit of any management standard, e.g. ISO 9001, ISO 14001, etc.

• Document review. In this step, you have to read all the documentation in your Information Security Management System or Business Continuity Management System (or the part of the ISMS/BCMS you are about to audit) in order to: (a) become acquainted with the processes in the management system, and (b) to find out if there are nonconformities in the documentation with regard to ISO 27001.
• Creating the checklist. Basically, you make a checklist in parallel with the document review – you read about the specific requirements written in the documentation (policies, procedures, and plans), and write them down so that you can check them during the main audit. For instance, if the Backup Policy requires the backup to be done every six hours, then you have to note this in your checklist so that you remember later on to check if this was really done.
• Planning the main audit. Since there will be many things you need to check out, you should plan which departments and/or locations to visit, and when – and your checklist will give you an idea of where to focus the most.
• Performing the main audit. The main audit, as opposed to the document review, is very practical – you have to walk around the company and talk to employees, check the computers and other equipment, observe the physical security, etc. A checklist is crucial in this process – if you have nothing to rely on, you can be certain that you will forget to check many important things; also, you need to take detailed notes on what you find.
• Reporting. Once you finish your main audit, you have to summarize all the nonconformities you found and write an Internal Audit Report – of course, without the checklist and the detailed notes, you won’t be able to write a precise report. Based on this report, you or someone else will have to open corrective actions according to the Corrective Action Procedure.
• Follow-up. In most cases, the internal auditor will be the one to check whether all the corrective actions raised during the internal audit are closed – again, your checklist and notes can be very useful here to remind you of the reasons why you raised a nonconformity in the first place. Only after the nonconformities are closed is the internal auditor’s job finished.

The role of top management

Top management must also get involved in internal audits – from approving the procedure and appointing the internal auditor, to accepting the audit program and reading the internal audit report. These activities should not be delegated to lower levels in the hierarchy, because this could bring the internal auditor into a conflict of interest, and besides, some important information might not find its way to the top.

And, most importantly of all, top management should make a conscious decision that they will accept and support the internal audit as something that is useful for the business.

Seven ways to improve the internal audits of your ISO 27001 ISMS

Here are seven tips you can implement to effectively audit your Information Security Management System:

1) It's a marathon, not a sprint. There are 93 controls in Annex A, so don't expect a quick audit if you want to do it properly. Set aside sufficient time to audit the system fully. There is no rule for the time you allocate, and it is dependent on several different factors including the maturity of your ISMS, the size of your organization, and the number of findings identified in the previous audit.

2) Share audit responsibilities amongst auditors. It can be effective to split the controls between auditors with different skillsets and strengths. For example, the first auditor might be responsible for auditing IT-oriented processes:

• A.8.1 User end point devices
• A.8.2 Privileged access rights
• A.8.19 Installation of software on operational systems
• A.8.20 Network security
• A.8.24 Use of cryptography
• A.8.25 Secure development life cycle

And the second auditor might be responsible for more general requirements:

• A.5.1 Policies for information security
• A.5.2 Information security roles and responsibilities
• A.5.4 Management responsibilities
• A.5.10 Acceptable use of information and other associated assets
• A.5.19 Information security in supplier relationships
• A.5.24 Information security incident management planning and preparation
• A.5.29 Information security during disruption
• A.5.36 Compliance with policies, rules and standards for information security

Find out more about the controls that make up Annex A in this article: Understanding the ISO 27001 controls from Annex A.

3) Failing to prepare is preparing to fail. As with all audits, preparation is key. Before the audit, you should:

• Ensure that you have access to all required information, such as previous audit findings, procedures, and policies. The Statement of Applicability (SOA) is vital for this particular audit.
• Prepare an audit checklist. This will be used to carry out the audit and will be aligned with the procedures and policies.
• Prepare an audit plan. This will include times, departments, and locations and should be provided to auditees ahead of the audit).
• Schedule time with auditees, time to compile your report, and a follow-up meeting with department representatives.
• Most importantly, have an in-depth understanding of what is required by the standard and by the organization.

It is crucial that you communicate the audit plan and session objectives in advance. No one likes a surprise, and it is not a good way to begin an audit.

4) Involve all departments. All members of your organization are responsible for maintaining information security, so cover as many departments in your scope as possible. All staff should be following some security requirements (for example, Teleworking, Confidentiality, and Clear Desk and Clear Screen Policy), whereas other departments have specific roles within the ISMS. For example:

• Human resources – HR has a defined responsibility in ensuring employee confidentiality is maintained. (Have they incorporated the information security manager’s advice into staff contracts?) This also applies to the disciplinary process. The information security team may be responsible for defining guidelines, but it is HR’s responsibility to enforce it.
• Technical / IT teams – The technical and IT teams have the greatest input in the information security system. Ensure that they are carrying out activities such as performing and testing data backups, implementing network security measures, and carrying out system patching.
• Customer-facing team – Customer-facing staff need to maintain customer confidentiality at all times.

5)  Audit auditees’ understanding of the purpose of the ISMS, as well as compliance. If something isn't being done, is this due to unclear task delegation, or a lack of understanding of the processes and policies? Checking that auditees understand the significance of information security should be a key part of your audit. Audits often present training and awareness opportunities.

6) Provide constructive feedback. An audit isn’t witch hunt; therefore, it is important that all findings are constructive in improving the Information Security Management System. Feedback can be provided at various points throughout the audit, such as directly to the auditee during the audit, and at the closing meeting. A crucial way to provide feedback after completing your audit is by preparing the report. Once you have prepared your report, it is crucial to share your findings with the department representatives and answer any queries that they may have.

7) Act on your findings. Finally, an audit wouldn’t be effective without acting on your findings. Once findings are agreed upon with the department representatives, ensure that they are logged for corrective action, and that follow-up on the effectiveness of the action performed is scheduled.

The difference between internal and external audits

ISO 19011 is a standard that describes how to perform audits – this standard defines an internal audit as “conducted by, or on behalf of, the organization itself for management review and other internal purposes.” This basically means that the internal audit is performed by your own employees, or you can hire someone from outside of your company to perform the audit on behalf of your company.

On the other hand, the external audit is done by a third party on their own behalf – in the ISO world, the certification audit is the most common type of external audit done by the certification body. You can also understand the difference between internal and external audits in the following way: The results of the internal audit will only be used internally in your company, while the results of the external audit will be used externally as well – for example, if you pass the certification audit, you will get a certificate, which will be used publicly.

Don’t be afraid

So, performing the internal audit according to ISO 27001 is not that difficult – it is rather straightforward: You need to follow what is required in the standard and what is required in the ISMS/BCMS documentation, and find out whether the employees are complying with those rules.

If you have prepared your internal audit checklist properly, your task will certainly be a lot easier.

To learn how to perform these steps, see this free online training: ISO 27001 Internal Auditor Course.

Author

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.

Connect with Dejan: