If you are new to ISO 27001, and ISO standards in general, then internal audit may be an area where you have several questions. For example, how regularly should we be auditing the information security management system (ISMS)? What needs to be covered in the internal audit? Do I need to cover all controls in each audit cycle, or just a subset? How do I decide which controls to audit? Unfortunately, there is no single answer for this, however, there are some guidelines we can identify in an ISO 27001 internal audit checklist.
The internal auditor can approach an audit schedule from a number of angles. Firstly, the auditor may wish to audit the ISMS clauses 4-10 regularly, with periodic spot check audits of Annex A controls.
In this case, the ISO 27001 audit checklist may look something like this:
Day One – Documentation review (clauses 4-10)
Check all mandatory documentation required for the system is in place including risk assessment and treatment procedures, risk assessments, risk treatment plans, non-conformity reports, corrective action reports etc.
Day Two – ISMS Audit (clauses 4-10)
Confirm the policy requirements have been implemented. Run through the risk assessment, review risk treatments and review ISMS committee meeting minutes, for example. This will be bespoke to how the ISMS is structured.
Day Three – Annex A Controls Audit
Review a subset of Annex A controls. The auditor may wish to select all of the controls over a 3 year audit cycle, so ensure the same controls are not being covered twice. If the auditor has more time, then all Annex A controls could be audited at a high level.
The above ISO 27001 internal audit checklist is based on an approach where the internal auditor focusses on auditing the ISMS initially, followed by auditing Annex A controls for successful implementation in line with policy. This is not mandatory, and organisations can approach this in any way they see fit.
Organisations should aim to have a clearly defined, documented audit plan which covers all of the controls and requirements across a defined set of time e.g. 3 years. Aligning this cycle with the external audit schedule is often recommended to get the right balance of internal and external audits. The below provides some further considerations as part of an ISO 27001 internal audit checklist.
ISO 27001 Internal Audit Checklist – Further Considerations
The following considerations should be made as part of an effective ISO 27001 internal audit checklist:
- Is the internal auditor competent, trained and qualified? An ISO 27001 Lead Auditor is highly recommended.
- Are the outputs from internal audits actionable? Do all findings and corrective actions have an owner and timescales?
- Does the internal audit schedule cover all of the ISMS requirements (clauses 4-10) and Annex A controls? Have control/risk owners been identified?
- How will the internal audit take place? Workshops, one-to-one reviews, physical testing/assurance?
- Have senior management assigned sufficient resources and time to conduct internal audit?
In summary, internal audit is a mandatory requirement for ISO 27001 compliance, therefore, an effective approach is necessary. Organisations should ensure internal audit is conducted at least annually, or after major changes that may impact on the ISMS.
The ISMS objectives should always be referred to in order to ensure the organisation is meeting its intended targets. Any outputs from internal audit should be addressed with corrective action immediately, tracked and reviewed.