An ISO 27001-compliant ISMS requires ongoing maintenance and review to meet the Standard’s requirements in clauses 8 and 9. The internal audit is an essential element of this process that must be carried out as described in clause 9.2 of ISO 27001, and should be conducted at planned intervals.
Organisations looking to achieve compliance with ISO 27001 often view the internal audit as a perplexing prospect. That’s mainly because it’s not always easy to be fully objective about how well you’ve implemented and documented your processes and controls, especially when you’ve been directly involved in the ISMS implementation project.
1.Why endless checking and cross-checking isn’t the answer
Having to check and cross-check your own work means you run the risk of missing important red flags that an experienced and independent auditor might spot easily.
But the internal audit is also the last checkpoint for determining whether the company is indeed ready to pass the final certification audit. If the organisation is not properly prepared, a fail at the certification audit stage could result in additional expenses no company would want to incur.
2. Independent audits can make a big difference
Many companies choose to use an independent certified auditor before the certification audit to help them identify the various gaps between the security measures that have been implemented and the specific demands of ISO 27001.
It is the auditor’s job to highlight any nonconformities that need to be fixed in order to satisfy the certification audit. In this respect, the company may even find that the internal auditor is a little less forgiving than one would expect from the certification audit itself.
3. Getting challenged during the audit is a good thing
“In some ways, it seems harsh that companies get challenged during the internal audit, even if they had many of the right measures ingrained in the business,” says Steve Watkins, director of IT Governance and UKAS assessor. “However, ISO 27001 is very specific in its requirements and, to compound matters, its language is generic, so it can be hard for the uninitiated to understand precisely how it applies to them.”
Taking a rigid approach that brooks no variance from the Standard helps the company to be fully prepared and proceed to the certification audit with fewer jitters.
4. Get the right expertise on your side
- Go the outsourcing route
Companies can outsource their internal audit to a qualified auditor with deep experience of ISO 27001 and the audit process in order to gain the assurance needed to meet their clients’ and stakeholders’ demands.
- Build internal competence
Alternatively, the company can acquire the necessary practical skills to conduct an effective internal audit through a recognised, qualification-based internal audit training course. Attendance equips prospective auditors with the practical knowledge and skills to perform internal audits that maintain conformity and drive continual improvement.
Without the experience of a seasoned audit professional, the internal audit can be challenging, especially when the organisation is new to ISO 27001.
“We benefited hugely”
As one of our clients put it: “We benefited hugely from IT Governance’s advice, and they effectively mapped out the route we needed to follow. If I were faced with doing the project all over again, the first thing I would do is get an expert consultant in to make sure we were tackling things in the right way. IT Governance really know their stuff and immediately impressed us with their calm and reassuring approach.”