How to conduct an ISO 27001 internal audit

If your organisation is to remain compliant with ISO 27001, you need to conduct regular internal audits.

An ISO 27001 internal audit will check that your ISMS (information security management system) still meets the requirements of the standard.

Regular audits can be beneficial, since they enable continual improvement of your framework.

This post will explain how to audit ISO 27001.


What is an internal audit?

An ISO 27001 internal audit involves a thorough examination of your organisation’s ISMS to ensure that it meets the Standard’s requirements.

Unlike a certification review, it’s conducted by your own staff, who will use the results to guide the future of your ISMS.

The requirements of an internal audit are described in clause 9.2 of ISO 27001.


Get started with your ISO 27001 audit plan

To help you achieve ISMS internal audit success, we have developed a five-step checklist that organisations of any size can follow.

1) Documentation review

You should begin by reviewing the documentation you created when implementing your ISMS.

This is because the audit’s scope should match that of your organisation.

Therefore, doing so will set clear limits for what needs to be audited.

You should also identify the main stakeholders in the ISMS.

This will allow you to easily request any documentation that might be required during the audit.

2) Management review

This is where the audit activity really begins to take shape.

Before creating a detailed audit plan, you should liaise with management to agree on timing and resourcing for the audit.

This will often involve establishing set checkpoints at which you will provide interim updates to the board.

Meeting with management at this early stage allows both parties the opportunity to raise any concerns they may have.

3) Field review

This is what you might think of as the ‘audit proper’. It is at this stage when the practical assessment of your organisation takes place.

You will need to:

  • Observe how the ISMS works in practice by speaking with front-line staff members.
  • Perform audit tests to validate evidence as it is gathered.
  • Complete audit reports to document the results of each test.
  • Review ISMS documents, printouts and any other relevant data.

4) Analysis

The evidence collected in the audit should be sorted and reviewed in relation to your organisation’s risk treatment plan and control objectives.

Occasionally, this analysis may reveal gaps in the evidence or indicate the need for more audit tests.

5) Report

You will need to present the audit’s findings to management. Your report should include:

  • An introduction clarifying the scope, objectives, timing and extent of the work performed.
  • An executive summary covering the key findings, a high-level analysis and a conclusion.
  • The intended recipients of the report and, where appropriate, guidelines on classification and circulation.
  • An in-depth analysis of the findings. Conclusions and recommended corrective actions.
  • A statement detailing recommendations or scope limitations.

Further review and revision might be needed, because the final report typically involves management committing to an action plan.


How often do I need to conduct an audit?

Like many standards, ISO 27001 doesn’t specify how often an organisation needs to carry out an internal audit.

That’s because every organisation’s ISMS is different and will need to be treated as such.

Experts recommend carrying out an ISO 27001 internal audit annually. This won’t always be possible, but you need to conduct an audit at least once every three years.

This is the length that most ISO 27001 certification bodies validate an organisation’s ISMS for, suggesting that beyond this point there’s a good chance that the organisation has fallen out of compliance.


Need help with your ISO 27001 audit?

At IT Governance, we’re serious about security.

Our unique combination of technology, methodology and expertise will give you the peace of mind that your organisation is secure and compliant.

You can take the hassle out of the audit process and save time and money with our market-leading ISO 27001 ISMS Documentation Toolkit.

Developed by expert ISO 27001 practitioners, it contains a customisable scope statement as well as templates for every document you need to implement and maintain an ISO 27001-compliant ISMS.

The ISO 27001 ISMS Documentation toolkit includes a template of the internal audit procedure.


Subscribe to our Weekly Round-up

A version of this blog was originally published on 18 July 2018.