We don’t need an ISO 27001 Internal Auditor, do we?

In Clause 9.2 of the ISO 27001:2013 standard, it states that the purpose of the internal audit is to determine whether the ISMS:

  1. conforms to the organisation’s own requirements for its information security management system; and the requirements of this International Standard;
  2. is effectively implemented and maintained.

In a nutshell, the internal auditor is an essential role in reporting to senior management on how the information security management system (ISMS) is performing. In smaller organisations, the internal auditor often helps prepare for the certification or maintenance visit by the lead auditor from a Certification Body, and in this respect needs to have a good knowledge of the requirements and processes involved in the certification audit. The most important role of the internal auditor, however, is to continually monitor the effectiveness of the ISMS and help senior managers determine if the information security objectives are aligned with the organisation’s business objectives.

How many ISO 27001 internal auditors are required?

Whilst smaller organisations may only require one person in this role, medium- and large-sized organisations usually need to appoint a couple of internal auditors from various departments, e.g. HR, finance, sales, IT, etc. Appointing internal auditors by departments scales up the responsibility and reduces the risk for mistakes that could arise from under-resourcing. Appointing internal auditors by department also improves the integrity of the ISO 27001 CAPA (Corrective and Preventive Action) programme.

Being able to rely on an ISO 27001 ISMS internal auditor is very useful during the implementation phase of the ISO 27001 ISMS project, as his or her role is to provide strategic guidance and set goals for the audit programme. The internal auditor plays a major role after the completion of the ISMS project and once ISO 27001-compliance has been achieved by reviewing and maintaining compliance.

Who can become an internal auditor?

Senior managers make good candidates for internal auditors. For example, HR managers can particularly benefit from qualifying as an internal auditors as they are used to ensuring policies are kept up-to-date with standards and acts, such as the Data Protection Act (DPA). Becoming part of the ISO 27001 ISMS team can make their job easier as they’ll already be up-to-speed with meeting the relevant requirements.

Becoming an ISO 27001 ISMS Internal Auditor provides professionals with generic auditing skills which can be used in different environments (not just in the context of ISO 27001 compliance). Internal Auditors are also valuable to an organisation for auditing third party suppliers and partners to ensure they have adequate security controls in place.

As the trainer for IT Governance’s ISO 27001 ISMS Internal Auditor Training Course, Nick Orchiston says he always aims to help delegates look beyond pure compliance as it’s important that they have their eyes set on improvement too. Nick provides his delegates with hints and tips on ways to approach auditing, both from an auditor’s perspective and that of an auditee to make the process simpler and more successful.

Train as an ISO 27001 internal auditor

Our ISO27001 Certified ISMS Internal Auditor training course provides the knowledge and skills required to perform ISO 27001 internal audits that deliver compliance and drive the continual improvement of an organisation’s ISMS. Delegates who pass the course’s examination are awarded the Certified ISMS Internal Auditor Qualification (CIS IA) by the International Board for IT Governance qualifications (IBITGQ). The next class room course is running in London on the 22-23 March 2016.