Control A.15.2 of ISO27001 requires that as part of an information security management system (ISMS) “managers within an organisation ensure that security policies are followed.”
This sounds very sensible – but how do you know that managers are actually enforcing your ISMS security policies?
The answer is regular ISMS internal audits and it usually falls to the information security manager or ISO27001 project leader to develop an effective internal audit plan.
Here are 5 practical tips to consider when planning your internal audits.
1. Talk to HR to ensure that information security is included in all managerial job responsibilities.
This is relatively easy. Adding a responsibility to a job description provides the impetus for managers to ensure security policies are followed. However, it doesn’t ensure it’s actually happening – hence the need for regular internal audits!
2. Encourage one or two volunteers from each department to join your internal audit team.
Getting involved in internal ISMS audits is actually a great opportunity for staff. As well as developing valuable audit skills, they will also gain an insight into other areas of the organisation and interact with staff at all levels – perfect for professional development.
3. Develop the skills of your internal audit team, to ensure they are prepared for the job.
Audit skills development could be led by you, or you might consider external internal ISMS auditor training for key staff. Whichever option you select, the team must have the skills to deliver a consistent approach to auditing, in order to get the best results.
4. Plan your audit schedule at least 12 months in advance.
This will ensure you have cover for staff holidays or absences prior to your audits. If you have an internal quality department it’s wise to co-ordinate the timing of your internal audits with them to minimise disruption.
5. Create a clear process for documenting findings.
Any non-conformances picked up by your internal audit team need to be documented correctly. This involves recording the issue, developing an action plan and agreeing a deadline for addressing the issue.
A clear documentation process will make your role of checking and monitoring issues much quicker and easier. It will also help you to identify trends or patterns that can point to larger threats.
Finally, if you seek formal ISO27001 Certification and undergo an external ISMS audit – this documentation will be crucial in demonstrating the effectiveness of your internal audit process.
Find out more
For further practical advice our two-day ISO27001 Internal Auditor Course is suitable for anyone who is going to be responsible for conducting internal audits and our previous delegates can recommend it on our behalf:
“Well run and informative course given by an experienced instructor. Top marks!!!” David Shrimpton, Mid Essex Hospitals NHS Trust.
“The trainer’s enthusiasm ensured that an enjoyable two days were had by all.” Paul Pickering, G4S.