Everything you Need to Know about ISO 27001 Internal Auditing

Broadly speaking, internal auditing is an evaluation of an organisation’s internal controls for the purpose of checking compliance with legislation, regulations and standards. In this blog, however, we will be specifically looking at internal auditing as it pertains to ISO 27001, the International Standard for Information Security Management. 

In this context, the role of an internal audit process is ensuring that the organisation undertaking it has taken every appropriate and reasonable measure to verify the efficacy of its information security management system (ISMS) against both the organisation’s and the Standard’s requirements.   

An ISO 27001 Requirement 

Clause 9.2 of ISO/IEC 27001:2022 states that the certifying organisation must ‘conduct internal audits at planned intervals’ to check that the ISMS remains conformant to the Standard and the organisation’s requirements, and that it is being effectively implemented and maintained.  

Best practice recommends that this is implemented as an aspect of business-as-usual operations, as opposed to being treated as a stand-alone process which is only undertaken because the Standard requires you to. Internal auditing should be a recurring process, triggered whenever a significant change occurs within the organisation or, if there are no substantial changes, at regular intervals.  

Identifying the Auditors  

Internal auditing must be performed by impartial and objective auditors who will report their findings without bias. This is another requirement set out in the Standard (Clause 9.2.2b, to be precise), so you will need to select auditors who are competent and impartial in order to conduct auditing in full conformance with ISO 27001.  

Many organisations chose to hire auditors from external companies for this, as this is the easiest way to guarantee that the three pillars of internal auditing (competency, impartiality, and objectivity) are upheld. If this is the route you decide to take, URM can offer reliable and competent internal auditing services, informed by nearly 2 decades of experience in helping organisations remain conformant to ISO 27001.  

However, if you wish, you are allowed to use internal staff members. These can either be individuals who are already auditors, or individuals in other roles who you train to audit. The most important rule to observe when choosing an auditor is that they cannot audit anything they have been involved in developing or implementing.   

The Audit Process 

The Standard specifies that the certifying organisation must establish an audit programme or schedule. When doing so, it is wise to avoid scheduling audits during busy or challenging periods for the business, particularly if your organisation undergoes frequent regulatory and client audits.  

It’s also important to avoid extensively auditing certain functions or departments within your organisation where possible, as this can lead to accusations that certain areas of the business are being picked on while others are not subject to the same degree of scrutiny.  

All relevant employees must be available for interview during the audit, however it’s important, if an employee is interviewed, that they understand they aren’t being interrogated or criticised, and the interview and audit process as a whole is simply being conducted in order to continually improve the ISMS.  

The audit must also be properly documented, and the documentation will generally be used to a produce a report. Thorough records must be kept of who has been interviewed, minutes of the interviews, of the evidence that was found and a summary of the findings.  

The documentation should also contain details of any nonconformities identified, and opportunities to improve the ISMS. The nonconformities you identify can either be nonconformities with the Standard itself, or areas where the ISMS is not meeting your organisation’s requirements of it.  

In order to remain conformant to the Standard, you will need to track and manage the findings of the ISO 27001 internal audit and identify remediation activities, and very often this will be done via the corrective action or continual improvement process.  

When your next management review following the audit takes place, the findings of the audit (and perhaps the report) will be important inputs, acting as a key indicator of not only the ISMS’ health, but also of the organisation’s overall information security posture.  

Closing Thoughts 

By conducting regular internal audits, not only will your organisation remain conformant to ISO 27001, but it will also provide both internal and external benefits by evidencing the fact that your organisation has properly implemented and actively maintains its ISMS. Its outputs will demonstrate that senior management within your organisation has bought-in to the ISMS and is involved in ensuring it remains fit for purpose, and that the organisation as a whole is invested in continually improving the ISMS – one of the core requirements in maintaining ISO 27001 certification.