Internal audits and ISO 27001

Of all the activities required to get and maintain certification to ISO 27001, the one that often confuses or even seems to frighten organisations is the internal auditing requirement.

What is an internal audit?

Internal audits are a mandatory requirement within ISO 27001, but they are also an important way to verify that your Information Security Management system (ISMS) is functionating as required and to identify opportunities for improvement. Whilst internal auditing will be new businesses without existing certifications, they are actually more straightforward and valuable than you might think.

In this blog, we’ll explain more about the process, what is required and who should lead an internal audit. We’ll also provide guidance on what to cover during your ISO 27001 internal audits.

Learn about our internal audit services here.

What is the ISO 27001 internal audit requirement?

It is a mandatory requirement of the ISO 27001 standard to conduct and document internal audits “at planned intervals” to validate the suitability and adequacy of the ISMS.

The generally accepted interpretation of the requirement is that an organisation will conduct internal audits against all clauses and controls of the standard over the three-year certification cycle. The audits should be run according to a documented schedule that prioritises high-risk areas, and with the assumption that no less than two internal audits will have been completed and documented ahead of the Stage 2 certification assessment.

On rare occasions, a certification auditor may ask an organisation to conduct and document internal audits against all clauses and controls of the standard prior to the Stage 2 certification assessment. The auditor may quote other standards in support of their request; although this comes down to interpretation and is certainly not an explicit requirement of ISO 27001. To prevent any last-minute surprise, and potential delays in certifying, it is useful to ask the selected Certification Body for a written confirmation of their expectations where internal audits are concerned during your implementation project.

To learn about ISO 27001 certification stages and other
FAQs, read and download our FREE Guide To ISO 27001.

Work in Human Resources? Read our latest blog on HR Security in ISO 27001.

When are ISO 27001 internal audits required?

As is often the case, the ISO Standard specifies that audits must be conducted at planned intervals but leaves it to the organisation to decide what this means. Indeed, a company may decide to spread the load by scheduling audits on a monthly or even a weekly basis. Alternatively, it may elect to conduct audits less often such as on a quarterly basis or to cram them all during a period of lower activity over two to three weeks. Furthermore, an organisation may justifiably decide to prioritise, and if required, repeat audits where a clause or control may have highlighted improvement opportunities or gaps in compliance previously.

Whatever the approach, audit dates must be documented in an audit schedule, although this does not mean that the dates are set in stone. Indeed, they can be moved to reflect changes to the organisation’s risk landscape or appetite, or simply to allow competing activities to take priority. However, having a documented – and approved – audit schedule demonstrates the organisation’s commitment to compliance and, importantly, to continual improvement.

Who should conduct ISO 27001 internal audits?

As for all employees within the organisation, ISO expects that the members of staff who have been selected as internal auditors will have received training that is appropriate to their role. In this instance, this may be achieved by them attending an internal, external or online auditing course. Numerous training providers offer ISO 27001 Internal Auditor and Lead Auditor training courses.

In a small organisation where staff may wear more than one hat, internal auditing may be an unwanted burden, both in terms of resourcing and from a cost perspective. It may also be difficult to maintain both impartiality and objectivity as the nominated auditor may be required to audit their own area of responsibility or their own managers. Consequently, small organisations may decide to outsource their internal auditing to a qualified third party like Evalian who will act as their external ISO 27001 consultant and be able to provide an independent review of their compliance with the standard and with their own policies and processes.

The use of a third party is, of course, not reserved for small companies. Larger organisations may also choose this option as they may not wish, or indeed be able to justify maintaining a team of auditors, or simply to avoid any internal conflict of interest. In addition, an audit report produced by a specialist organisation may carry more weight and be more readily accepted if coming from outside of the organisation and away from internal politics.

Can internal audits be conducted remotely?

Traditionally, ISO audits used to be conducted on-site. However, COVID restrictions have proven that audits can be successfully done remotely. In fact, it seems that, despite the lifting of restrictions, this trend is set to continue, with the benefits of increased flexibility and lower costs.

In most cases, auditors can view the evidence they require in screen-sharing sessions. Physical security audits may be a little trickier, but not necessarily impossible so long as the audited organisation is happy for an employee to act as the eyes (and legs!) of the auditor by walking around the site with a camera. Auditors often accept this as a compromise, with the caveat that physical security arrangements will be verified in person at a subsequent onsite surveillance audit.

What should an ISO 27001 internal audit cover?

The following, high-level steps should be considered when approaching an internal audit.

• Planning and Preparing
  • The auditor should prepare an audit plan, based on the approved Audit Schedule
  • The audit plan should confirm the scope of the audit, the date, the time, the duration, the audit criteria, and also whether the audit will be conducted on-site or remotely. It should also clarify that the audit will be sample-based
  • The audit plan should be submitted to the auditee for approval so that there is no misunderstanding on the day
  • The audited organisation should ensure that resources are available on the day and that they have been briefed appropriately
• Audit Interviews
  • The auditor should confirm to the auditee the purpose and scope of the audit, that he is on a fact-finding mission and aims to be impartial and objective
  • The auditor should explain the objectives of each interview
  • The auditor should record facts and supporting evidence presented by the auditee
  • Areas of improvement and non-compliance should be summarised at the end of each audit, ensuring that there are no doubts about the key issues, and the next steps and timelines should be clearly stated
• Audit Report
  • The audit report should re-iterate the purpose and scope of the audit
  • It should provide an overall summary of compliance and of the findings
  • It should also clearly state Opportunities for Improvement and non-Conformities
  • Once completed, the report should be issued to the auditee for review and comment
  • The final report should document agreed actions with individual action owners, deliverables, timescales and measures of effectiveness.
• Audit actions should be logged, tracked to completion and reported against as per the Non-Conformity and Corrective Action Management process and/or the Continual Improvement process.

Final thoughts on internal audits

Undoubtedly, while internal audits will help ascertain that the ISMS is effectively implemented and appropriately maintained, their main benefit is their contribution to a company’s commitment to continual improvement.

Indeed, an internal audit helps identify opportunities for improvement as well as non-conformities. A typical audit report will contain actions that must be addressed by the auditee: the auditor will review previous reports at their next visit and will want to see that opportunities for improvement have been considered and that nonconformities have been corrected but also, for the latter, that a root cause analysis has taken place to at least reduce the risk of reoccurrence.

Properly managed, internal audits should lead to increased levels of compliance, reduced risk exposure, reinforced security and maintained integrity. They offer a way to identify gaps in compliance, opportunities for improvements and potential risks to the organisation.

People are often in fear of auditors and in doing so fail to realise that the auditor can be a valuable resource! They provide an independent view of how your management system is managed, and their findings should help you promote improvement, and may also help you justify training, authorise recruitment and more generally leverage investment.

Need help with your internal auditing?

If you are thinking of gaining ISO accreditation, we’re here to help wherever you are on your decision path. We can help with an initial workshop, carry out a full gap analysis, support your ISO project or manage your management system for you. We can also help you understand what to look for when choosing an ISO 27001 certification body.

If you operate a remote gambling product in the UK market, you need to be licensed by the Gambling Commission (UKGC) under sections 89 and section 97 of the Gambling Act 2005. Learn more here about the Gambling Commission RTS Security Audit. 

If you’d like to understand more about our ISO services, we’d be delighted to hear from you. You can find out more about our services here.