ISO 27001 Internal Audit of the Information Security Management System
Independent Internal Audit of Your Information Security Management System (ISMS)
Would you like to ensure that your information security management system complies with the requirements of ISO/IEC 27001 and supports the achievement of your organization’s objectives?
TJO Konsultatsioonid conducts independent internal audits of ISMSs to assess the effectiveness of the information security management system, its compliance with requirements, and opportunities for improvement. An internal audit helps identify potential deficiencies before a certification or surveillance audit and provides management with an objective overview of the information security situation.
Why should you outsource an ISMS internal audit from an external partner?
In many organizations, it is difficult to find an internal auditor who:
- possesses the necessary auditing expertise;
- is familiar with the ISO/IEC 27001 requirements;
- is independent of the area being audited;
- is able to provide an objective assessment of the system’s effectiveness.
An external auditor brings experience from various organizations and fields to the audit and is able to identify opportunities for improvement that might go unnoticed in the course of the company’s day-to-day operations.
What does an ISMS internal audit offer an organization?
As a result of the internal audit, the organization receives:
- an assessment of compliance with ISO/IEC 27001 requirements;
- an overview of the effectiveness of the information security management system;
- information on the effectiveness of the controls implemented;
- a list of identified nonconformities;
- practical recommendations for improving the system;
- better preparedness for certification or surveillance audits.
ISMS Internal Audit Process
1. Review of Documentation
The auditor analyzes the information security management system documentation, including:
- policies;
- procedures;
- guidelines;
- risk assessment results;
- the Statement of Applicability (SoA);
- other relevant documents.
2. Audit Planning
An audit program is prepared, and the following are agreed upon:
- interviews;
- observations;
- objects and processes;
- participants;
- the audit schedule.
3. Conducting the audit
During the audit:
- employees are interviewed;
- process performance is assessed;
- evidence is reviewed;
- the effectiveness of applicable control measures is assessed.
4. Audit Summary
Audit findings are documented and presented to management, including:
- nonconformities;
- observations;
- risk areas;
- opportunities for improvement.
When should an internal audit be conducted?
- Definitely as a full-scale audit prior to the ISO 27001 certification audit;
- preferably in accordance with the audit program prior to the next surveillance audit;
- after major organizational changes;
- after significant information security incidents;
- regularly, in accordance with the organization’s audit program.
Frequently Asked Questions
How long does an ISMS internal audit take?
The duration of the audit depends on the size of the organization, the number of employees, the number of locations, and the scope of the audit. In smaller organizations, the audit may take one day; in larger organizations, it may take several days.
Is an internal audit mandatory for ISO 27001?
Yes. ISO/IEC 27001 requires that internal audits be conducted at planned intervals to assess the compliance and effectiveness of the management system.
Does an internal audit help prepare for the certification audit?
Yes. An internal audit allows you to identify nonconformities before the certification body’s audit and reduce the risk of nonconformities.
Can an auditor audit their own work?
Generally, no. The auditor must be independent and objective to ensure the reliability of the audit.