Clause 9.2 of ISO 27001 states that the purpose of an internal audit is to determine whether an organisation’s ISMS (information security management system):
- Conforms to its own requirements for an ISMS, as well as the requirements of the Standard; and
- Is implemented and maintained effectively.
An internal auditor’s most important task is to continually monitor the effectiveness of the ISMS and help senior staff determine whether the information security objectives are aligned with the organisation’s business objectives.
In small and medium-sized organisations, the internal auditor often helps prepare for the certification or maintenance visit. It’s therefore highly beneficial to have a solid understanding of the requirements and processes involved in the certification audit.
How many ISO 27001 internal auditors do you need?
Smaller organisations probably only need one ISO 27001 internal auditor, but larger organisations usually require several internal auditors focusing on different departments.
Appointing internal auditors for different departments scales up the responsibility and reduces the possibility of mistakes. It also improves the integrity of the ISO 27001 CAPA (Corrective and Preventive Action) programme.
An effective ISO 27001 internal auditor will prove an indispensable tool for organisations, as they will be able to provide strategic guidance regarding the implementation of the ISMS and set goals for the audit programme.
Their work, and the help they provide, isn’t finished after the ISMS has been implemented and the audit has been completed. They will continue to keep an eye on the ISMS and make recommendations for maintaining compliance.
Who can become an internal auditor?
Senior managers make good candidates for internal auditors. HR managers, for example, are well-suited to the role, because they are used to making sure policies are kept up to date with standards and legal requirements. Plus, becoming part of the ISO 27001 ISMS team can make their existing HR job easier, as they’ll already be up to speed with many relevant requirements.
The general auditing skills required to become an ISO 27001 internal auditor can also be used in environments outside those related to the Standard. Additionally, internal auditors are valuable to organisations that audit third-party suppliers, as they can check that suppliers have adequate security controls in place.
Become an ISO 27001 internal auditor
Our ISO27001 Certified ISMS Internal Auditor Training Course gives you the knowledge and skills you need to audit against the Standard effectively, driving the continual improvement of your organisation’s ISMS.
Those who pass the included exam will receive the Certified ISMS Internal Auditor Qualification (CIS IA) from IBITGQ (International Board for IT Governance Qualifications).
The course will be running in London on 14–15 August 2018 and 13–14 November 2018.