A key component of ISO 27001 compliance is regular internal audits.
This helpful audit ensures that your Information Security Management System (ISMS) is not only in compliance with the ISO 27001 standard, but that it’s also effective in maintaining information security for your organization.
To help you develop your own internal audit program, we’ve broken down the requirements of the internal audit and compiled a checklist to help you streamline the process.
An ISO 27001 internal audit is a requirement of the ISO 27001 standard (detailed in Clause 9.2) that instructs an organization to examine if their ISMS meets the standard’s requirements.
Unlike the certification audit, an internal audit can be conducted by your own staff. These audits must be conducted on a regular basis and must document the audit process.
It’s important that the individual (or individuals) conducting the internal audit are impartial and are not auditing functions or processes that they manage or helped create. If your organization doesn’t have anyone who fits this criteria, you can recruit an external auditor to help you complete the audit.
If you’re looking to build a compliant ISMS and achieve certification, this guide has all the details you need to get started.
Download ebookAn internal audit is just one type of ISO 27001 audit, but it is the only audit type that is not carried out by a certification body.
ISO 27001 requires organizations to plan and conduct internal audits in order to prove compliance. These audits are meant to review and assess the effectiveness of the company’s ISMS.
These are carried out by an organization’s own internal audit team. If a business doesn’t have an internal auditor they can use an outside party. These audits are called a “second-party audit.”
The certification audit is conducted by a certification body, and if you prove compliance, you will receive a certificate of compliance that’s valid for three years. During those three years, you’re obligated to maintain your ISMS and the processes, ISO 27001 controls, and requirements that helped you achieve compliance.
This is the only type of ISO 27001 audit that is conducted only once, when you are first awarded your certificate of compliance.
After those three years have passed, your organization will need to undergo a recertification audit where you will provide evidence proving continuous compliance and proof of ongoing ISMS improvement.
After achieving certification, you must schedule surveillance audits with a certification body. These audits are performed in years one and two after your certification audit and before your recertification audit.
These audits include:
The Four Types of ISO 27001 Audits
| Internal audits | Certification audit | Recertification audits | Surveillance audits | |
|---|---|---|---|---|
| Performed by | Independent party (internal or external resource) with sufficient expertise | Certification body | Certification body | Certification body |
| Audit frequency | Once every year | Once, when you are first awarded your certificate | Once every three years | Annually in years one and two between certification and recertification audits |
The main difference between certification audits and internal audits lies in the objectives included within the ISO 27001 standard.
ISO 27001 states that internal audits are meant to:
ISO 27001 states that the certification audits are meant to:
The internal audit focuses on the effectiveness of the ISMS, however that might look within your company. The certification audit is used to test conformity of an ISMS against the ISO 27001 requirements.
ISO 27001 Checklist: Your 14-Step Roadmap for Becoming ISO Certified
Read articleInternal audits are important because the ISO 27001 standard requires them. Clause 9.2 of the standard mandates a program of internal audits in order to prove an ISMS is in compliance and working effectively.
Beyond being a requirement, internal audits provide companies with a variety of benefits. These include:
Internal ISO audits are customizable to fit the particular needs and requirements of your organization. We’ve outlined a few of the core steps to complete an internal ISO 27001 audit below.
First things first: Your designated auditor (whether internal or external) should review the documentation of how the ISMS was created. This will help to set the scope of the internal audit to match that of the ISMS, since that’s what the internal audit covers.
The documentation should also identify the key individuals responsible for the controls and processes of the ISMS. This will help the auditor should they need to request more information about ISMS specifics.
During this phase, management and the auditor(s) should create a detailed ISO 27001 internal audit checklist of what needs to be done. Consideration should be given to the resources needed to complete the audit as well as the time frame.
Fieldwork is the proper audit process where the ISMS will be tested, observed, and reported on. During this phase, your audit team will interview employees and observe how the ISMS is implemented throughout the company.
The audit evidence should be sorted, filed, and reviewed in relation to the risks and control objectives set by your organization and the ISO 27001 standard.
Once the evidence has been collected, it must be sorted and reviewed against the ISO 27001 standard. This process may reveal gaps in evidence collection and require the need for additional audit tests.
Once the fieldwork tests have been completed, your audit team will deliver a report to management. Results should be maintained as a record of performance and proof that your company is in compliance with the standard’s ISMS requirements.
This report typically includes:
Once the report has been handed over to management, they are responsible for tracking the correction of nonconformities found during the audit.
We’ve created a simple five-step ISO 27001 audit checklist to help you understand the tasks required to complete an ISO 27001 internal audit. You can download the PDF below.
Oftentimes, organizations do not have anyone on staff qualified to complete an internal audit who is also not directly tied to the creation and maintenance of the ISMS.
When this happens, it’s crucial to find an external auditor to help you complete the internal audit. Secureframe can help by matching you with an auditor that not only knows your industry, but also understands the standard inside and out.
This will help you to efficiently and effectively assess your ISMS prior to the certification process.
To learn more about how Secureframe can help streamline the ISO 27001 certification process, schedule a demo today.