It is hard to imagine that any organisation can succeed in achieving and maintaining ISO 27001 compliance without employing internal auditors. The internal auditor is instrumental in reviewing the effectiveness of the selected security controls and recommending suitable modifications where requirements weren’t met. In other words, he or she plays a major role in passing the company’s surveillance audit.
Whilst smaller organisations can probably cope with just one ISO 27001 ISMS internal auditor, medium- and large-sized organisations usually need to appoint a couple of internal auditors from various departments, e.g. HR, finance, sales, IT, etc. Appointing internal auditors by departments scales up the responsibility and reduces the risk for mistakes that could arise from under-resourcing. Appointing internal auditors by department also improves the integrity of the ISO 27001 CAPA (Corrective and Preventive Action) programme.
Being able to rely on an ISO 27001 ISMS internal auditor is very useful during the implementation phase of the ISO 27001 ISMS project, as his or her role is to provide strategic guidance and set goals for the audit programme. The internal auditor plays a major role after the completion of the ISMS project and once ISO 27001-compliance has been achieved by reviewing and maintaining compliance.
Who can become an internal auditor?
Senior managers make good candidates for internal auditors. For example, HR managers can particularly benefit from qualifying as an internal auditors as they are used to ensuring policies are kept up-to-date with standards and acts, such as the Data Protection Act (DPA). Becoming part of the ISO 27001 ISMS team can make their job easier as they’ll already be up-to-speed with meeting the relevant requirements.
Becoming an ISO 27001 ISMS Internal Auditor provides professionals with generic auditing skills which can be used in different environments (not just in the context of ISO 27001 compliance). Internal Auditors are also valuable to an organisation for auditing third party suppliers and partners to ensure they have adequate security controls in place.
As the trainer for IT Governance’s ISO 27001 ISMS Internal Auditor Training Course, Nick Orchiston says he always aims to help delegates look beyond pure compliance as it’s important that they have their eyes set on improvement too. Nick provides his delegates with hints and tips on ways to approach auditing, both from an auditor’s perspective and that of an auditee to make the process simpler and more successful.
Train as an internal auditor
Appointing, or becoming, an ISO 27001 ISMS Internal Auditor will streamline the process and ensure compliance is withheld and maintained. The ISO 27001 ISMS Internal Auditor Training Course will prepare delegates for the job, provide them with useful hints and tips, whilst making the learning process enjoyable. Either way you look at it, appointing or becoming an ISO 27001 ISMS Internal Auditor is a win-win situation for both the individual and the organisation.