In a week when we were pleased to announce that our ISO27001 Internal Auditor training course has been accredited by the International Board for IT Governance Qualifications (IBITGQ), I want to take the opportunity to explain the difference between an ISO27001 Internal Auditor and an ISO27001 Lead Auditor.
In Clause 9.2 of the ISO27001:2013 standard, it states that the purpose of the internal audit is to determine whether the ISMS:
- conforms to the organisation’s own requirements for its information security management system; and the requirements of this International Standard;
- is effectively implemented and maintained.
Compare this to the description of an initial certification audit as in Clause 9.2.3, from the ISO27006 standard:
The objectives of the certification audit are:
- To confirm that the client organization adheres to its own policies, objectives and procedures; and
- To confirm that the ISMS conforms to all the requirements of the normative ISMS standard ISO/IEC 27001 and is achieving the client organisation’s policy objectives
Have you spotted the difference?
In a nutshell, the internal auditor is an essential role in reporting to senior management on how the information security management system (ISMS) is performing. A lead auditor performs an audit on behalf of a second or third party and checks that the ISMS is fully compliant to the specifications of ISO27001. A second party could be a partner organisation who requires a supply chain audit and a third party is usually an independent certification body such as BSI, LRQA or DNV.
In smaller organisations, the internal auditor often helps prepare for the certification or maintenance visit by the lead auditor, and in this respect needs to have a good knowledge of the requirements and processes involved in the certification audit. The most important role of the internal auditor, however, is to continually monitor the effectiveness of the ISMS and help senior managers determine if the information security objectives are aligned with the organisation’s business objectives.
Using the principles based on the ISO 19011:2011 internal audit best practice, ISO27001 internal auditors will also contribute to:
- Secure agreement of the goals for individual audits within an audit programme.
- Reduce duplication of effort when conducting combined information security audits.
- Ensure audit reports follow the best format and contain all the relevant information.
- Evaluate the competence of members of an audit team against appropriate criteria.
Our ISO27001 Certified ISMS Internal Auditor training course provides the knowledge and skills required to perform ISO27001 internal audits that deliver compliance and drive the continual improvement of an organisation’s ISMS. Delegates who pass the course’s examination are awarded the Certified ISMS Internal Auditor Qualification (CIS IA) by the International Board for IT Governance qualifications (IBITGQ).