Conducting an ISO 27001 internal audit: a 5-step checklist

A core part of successfully maintaining and implementing ISO 27001 is the regular and independent conduction of internal audits.

Data breaches and cyber attacks occur every single day, making cybersecurity not only an increasing concern for businesses, but also highlighting the risks of non-compliance.

As a framework which defines the best-practice approaches for managing cyber risk, the ISO/IEC 2700 is the international standard used to manage an organisation’s Information Security Management System (ISMS).

Simply put, achieving and maintaining ISO 27001 certification can be a way to prevent risk of data breaches and cyber attacks.

Additionally, being ISO certified can be an excellent way to gain and maintain customer trust.

A core part of successfully maintaining and implementing ISO 27001 is the regular and independent conduction of internal audits.

Why conduct internal audits for ISO 27001?

An ISO 27001 internal audit is an examination of your organisation’s information security management system (ISMS) to make sure it meets the standard requirements. In other words, it’s an evaluation of performance.

This is based on clause 9.2 of the ISO 27001 standard, requiring that information is provided on whether the ISMS:

9.2a — conforms to the businesses own requirements for its ISMS

9.2b — conforms to the requirements of the standard

The reason for conducting the internal audit is to ensure the processes undertaken by the business to comply with ISO 27001 are aligned (or rather, are without non-conformities) with the ISO 27001 standard.

Due to this, internal audits must be conducted at least once a year, in order to ensure the ISMS is fulfilling its own system requirements, as well as the requirements of ISO 27001.

What is the goal of an ISO 27001 internal audit?

When audits are implemented effectively, the results can be highly informative when it comes to changing your ISMS for the better.

Internal audits are performed with the goal of determining how effective your ISMS is, as well as uncover any non-conformances.

In turn, this will inform any future improvements.

In short, ISO 27001 internal audits can also be extremely beneficial for an organisation, given that they can give your organisation confidence that the ISMS and respective processes are:

conforming to the requirements of ISO 27001
communicated clearly throughout your organisation
known by employees and key stakeholders
carried out accordingly

ISO 27001 internal audit checklist

As long as they are competent and impartial, any person within your organisation can follow this checklist in order to meet ISO 27001 internal audit requirements:

1. Documentation review

To begin with, review all the documentation created by your organisation when implementing your ISMS. This will help you become familiar with the processes within the ISMS.

2. Management review

After getting acquainted with the documentation, the next step is to identify the key stakeholders in the ISMS and plan which departments to audit, and when.

A simple way of doing this is by establishing checkpoints.

Communicating the above to management can clarify whether timings are realistic, and how to manage staff availability for the audit.

3. Field review (or Evidential audit)

This is the actual audit, during which you will:

Speak with the staff to ask questions on how the ISMS works in practice
Request staff to provide evidence to support their answers
Document any notes and findings

4. Analysis

This stage involves comparing the findings from step 1 (documentation review) against step 3 (field review), and noting where the documentation and the evidence do not align.

5. Report

As part of Clause 9.2, you are required to “retain documented information as evidence of […] the audit results”.

In other words, you will need a final report in order to present your findings to management. This will also drive the action plan undertaken by management aimed at addressing any observations or non-conformities.

Your ISO 27001 internal report should include:

Introduction: covering the scope, objectives, timings and amount of work performed
Executive Summary: this should cover the overall findings, high-level analysis and conclusion
People: who will be responsible for receiving the report, as well as circulation guidelines
Operation: and in-depth analysis of the findings based on the policies reviewed, as well as recommendations, conclusions and corrective actions

How Klarity Works can support your ISO 27001 internal audit

Firstly, with Klarity Works you can centralise all your compliance documentation, including your policies, procedures and guidelines, as well as any other documentation that might act as supporting evidence.

Secondly, all documentation can be tagged, so it is categorised in a way that suits your ISMS, and easily found using our search filters – which can be pre-saved and shared with key members of your organisation.

Thirdly, you are able to easily assign the right documents to the right people, all whilst having full visibility of progress, and your people can stay aligned to the direction of your ISMS.

To find out more, visit our Features page, or if you’d like to discuss your ISO 27001 internal audit needs, simply get in touch – we’re here to help.

More blogs you might like

Compliance

My Favourite Standard: ISO 3103

My Favourite Standard: ISO 3103 The standard that governs the process of making a cup of tea When I write about ISO, more often than

20th March 2023

Security

ISO 27001 Controls: Handling Security Breaches

ISO 27001 Controls: Handling Security Breaches How to deal with them when to do when they do happen The purpose of ISO 27001 is to

17th February 2023

Product Development

Product update: Answers

Introducing Answers Simplify Documentation Management with Inverifi At Inverifi, we understand that managing documentation for compliance can be time-consuming and laborious. That’s why we have