How to carry out an ISO 27001 internal audit

If your organisation has adopted ISO 27001, the international standard for information security, and wants to maintain compliance, you will need to conduct regular internal audits.

The process often catches organisations off guard, because they don’t realise how quickly things can change after they’ve implemented an ISMS (information security management system). However, maintenance is a crucial part of ISO 27001 compliance, and this blog helps you understand everything you need to know.

What is an internal audit?

An ISO 27001 internal audit involves a thorough examination of your organisation’s ISMS to ensure that it meets the Standard’s requirements. Unlike a certification review, it’s conducted by your own staff (hence ‘internal’), who will use the results to guide the future of your ISMS.

The requirements of an internal audit are described in clause 9.2 of ISO 27001.

How often do I need to conduct an audit?

Like many standards, ISO 27001 doesn’t specify how often an organisation needs to carry out an internal audit. That’s because every organisation’s ISMS is different and will need to be treated as such.

Experts recommend carrying out an ISO 27001 internal audit annually. This won’t always be possible, but you need to conduct an audit at least once every three years. This is the length that most ISO 27001 certification bodies validate an organisation’s ISMS for, suggesting that beyond this point there’s a good chance that the organisation has fallen out of compliance.

Preparing for the audit

Organisations should start planning their internal audit about 12 months in advance. That means organisations that have recently implemented their ISMS should begin preparing right away.

The long lead-in ensures that you have cover for staff absences before your audits, and that all the necessary people will be available. You don’t want to schedule an audit only to learn that the person you need to speak to has booked a two-week holiday during that time.

Conducting the audit

There are five stages to an ISO 27001 internal audit:

  1. Document review: Read all the documentation created when you implemented your ISMS. This will set clear limits on the scope of what needs to be audited.
  2. Audit plan: Auditors and management should create a detailed checklist of what needs to be done. The plan should also formalise the timing and resourcing of the internal audit.
  3. Field review: This is the practical assessment of the organisation. Auditors will take a first-hand look at the whole company, talking to employees, checking equipment and observing how the ISMS works in practice. They will also conduct audit tests to validate evidence as it’s gathered.
  4. Analysis: The collected evidence should be sorted and reviewed in relation to the risks and control objectives.
  5. Report: The findings of the audit should be presented to management.

Become an ISO 27001 internal auditor

The importance of internal auditing means that all ISO 27001-certified organisations need someone with the relevant skills. This makes ISO 27001 internal auditing a very stable role, and the growing popularity of the Standard means that ISO 27001 internal auditors are in increasingly high demand.

Those looking to take advantage of this opportunity should enrol on our ISO27001 Certified ISMS Internal Auditor Training Course.

This two-day course is presented by an experienced ISO 27001 practitioner with real-world insights into implementing and maintaining an ISMS that complies with the Standard. You’ll learn everything about ISO 27001 auditing, including the role the auditor plays, the documents you need to be aware of and the ins and outs of planning and conducting an audit.

Find out more about our ISO27001 Certified ISMS Internal Auditor Training Course >>