ISO 27001 Clause 9 Clause 9.2

ISO 27001 clause 9.2 Internal audit

The basics

ISO 27001 sub-clause 9.2 is called “Internal audit” — it requires that internal audits are performed at planned intervals, to assess how effective ISMS is implemented and maintained, and whether it complies with ISO 27001 and the company’s own policies and procedures.

Documentation

ISO 27001 clause 9.2 Internal audit requires writing the following documents:

The following documents are not mandatory, companies can decide whether to write them:

Implementation

To comply with clause 9.2 Internal audit, a company must prepare its internal audit process, and then perform internal audits.

Here are the steps to start with, to prepare the internal audit process:

  1. Internal audit procedure – this is where you define the rules on how the audit needs to be performed.
  2. Internal audit program – this is a 1-year or 3-year plan on how many audits will be performed during that period, what will be the scope, audit criteria, etc.

Here are the steps to perform a single internal audit:

  1. Document review – you need to review ISO 27001 documentation to become acquainted with the ISMS processes, and to find out if the documents are compliant with ISO 27001.
  2. Create a checklist – based on the documents you studied, you create a list of what you need to check during the main audit.
  3. The main audit – this is where you check (i.e., find proof) for compliance for each item in your checklist.
  4. Internal audit report – you have to summarize all the nonconformities you found, together with your observations and recommendations for improvement.
  5. Follow-up – after the nonconformities have been corrected, you need to check if this is done properly.

Audit evidence

During the audit, an auditor might ask for the following evidence regarding ISO 27001 clause 9.2 Internal audit:

  1. To show mandatory documents – Internal audit program, Internal audit report, and nonconformities.
  2. If your internal auditor is not in a conflict of interest, and if she is competent for performing the audit.
  3. If your Internal audit program has all the mandatory elements – responsibilities, frequency, audit methods, and audit criteria.
  4. If the Internal audit report has been reported to the top management, and if it was reviewed during the management review.
  5. If the internal auditor has audited the whole ISMS scope.
  6. If the internal auditor has taken into account all security requirements – e.g., ISO 27001, internal policies and procedures, and requirements from interested parties