As part of the management system requirements, Clause 9.2 details what must be done regarding internal audits. This includes a requirement for retaining documented evidence of the audit results, and this is done by way of an audit report.
An ISO 27001 internal audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that:
In addition to the overall compliance and effectiveness of the ISMS, as ISO 27001 is designed to enable an organisation to manage it’s information security risks to a tolerable level, it will be necessary to check that the implemented controls do indeed reduce risk to a point where the risk owner(s) are happy to tolerate the residual risk.
Clause 9.2 Internal audit mandates:
“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms to
b) is effectively implemented and maintained.
The organization shall:
c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit programme(s) and the audit results.”
Download your free guide to fast and sustainable certification
We just need a few details so that we can email you your guide to achieving ISO 27001 first-time
Download your free guide now and if you have any questions at all then Book a Demo or Contact Us. We’ll be happy to help.
Internal audits for ISO 27001 work by following an audit programme that identifies the audits to be carried out before certification and during each certification period.
They require the selection of a competent and objective auditor to undertake each internal audit verifying compliance with the requirements of the standard, the organisation’s own information requirements and objectives for the ISMS, and that the policies, processes, and other controls are effective and efficient.
Activities included within an internal audit:
Whilst it is not clear within ISO 27001 itself as to how often you must perform internal audits. It is expected that the audit programme follows the same requirements as those placed upon the certification bodies for conducting their audits following ISO/IEC 27006:2015 – Requirements for bodies providing audit and certification of ISMSs.
Within ISO 27006 requirement 9.1.5.2 e, states that the audit programme “covers representative samples of the scope of the ISMS certification within the three year period.”
Therefore, you need to conduct internal audits covering the entire standard, at minimum, over the certification period (3 years for UKAS accredited certificates).
You could do this as a single audit, but it is more commonly broken down into smaller audits over the 3-year period.
It is also important to audit some areas more frequently if the risk levels are high or the area is subject to frequent changes.
It’s recommended that you audit the management system requirements (Clauses 4-10) annually. This can be tied into your ISMS management review, which also has to be conducted annually.
Within ISMS.online, we provide a pre-built Audit Programme work area which includes:
Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.
Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.
Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.
The standard requires you to document the audit results – Clause 9.2 of ISO 27001 includes the requirement to “retain documented information as evidence of the ……… audit results”.
This is done within an Audit Report.
Obviously, before you can document the audit report, you have to plan and carry out the audit. You can then document the findings in the report.
For each audit, you will need to plan:
Every audit will require the review of relevant documentation, including policies, procedures, standards, and guidance relevant to the area(s) of the standard being audited. It is good practice to advise those being audited of the areas to be covered to ensure easy and timely access to the relevant documentation.
In ISMS.online, this is made easy by either having the documentation within the system or linking it within the standard’s relevant section.
Most audits will require the sampling of evidence to a lesser or greater degree. This may include interviewing relevant key staff, end users, and sometimes even temporary staff and contractors.
Sources for sampling may include, for example:
ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.
Information Security Manager, Honeysuckle Health
Once the data gathering for the audit has been done, it will be necessary for the auditor to assess and analyse the findings to determine any nonconformities or opportunities for improvement.
Findings are normally categorised as one of the following:
Some certification bodies also use:
Having analysed the findings, the audit report can now be prepared and presented to the person or team responsible for the ISMS for review and follow-up.
The audit report must be prepared as documented information, but this doesn’t mean it has to be a separate Word or PDF document. Within the ISMS.online platform, we try to encourage the avoidance of creating such documents but instead provide a work area in which the report can be directly documented. This area offers additional functionality including the ability to easily link to other work areas, policies, controls, risks, corrective action and improvement “tickets”, and more.
The executive summary is useful so that senior management can quickly and easily see an overview of the findings, including any possible critical issues, trends, and opportunities for improvement. This can then be easily linked to the ISMS management review following Clause 9.3.
This will usually include:
To ensure a common understanding of the report’s findings, it is necessary to include the definitions of some terminology used that is either specific to the organisation, the audit process, or the standard. Remember, not all who may need to read, assess and understand the report, will necessarily understand all of the terminology used.
This will include:
For each section of the audit, you should document the findings, including notes of any evidential samples taken.*
It is good practice to record compliance and positive points and document any nonconformities or opportunities for improvement.
The findings should record the facts found relevant to the ISMS and the standard and should not include opinion or conjecture beyond reasonable extrapolation.
*Note – if evidential samples contain personally identifiable information, it is usual practice to pseudonymise or anonymise the data in line with privacy legislation requirements such as GDPR.
Where nonconformities and opportunities for improvement are identified, these must be clearly documented so that corrective actions and improvement items can be recorded and managed through the organisation’s recognised processes as documented in accordance with Clause 10.1 Nonconformity and corrective action; and 10.2 Continual improvements.
As this is an internal audit report, it is allowable for an auditor to make recommendations about how an organisation might address findings. Ultimately the decisions relating to corrective actions and improvements must be made by the relevant individuals or teams responsible for the ISMS and information security.
A tailored hands-on session based on your needs and goals
The ISMS.online platform dispenses with the need for creating Word documents, PDFs and spreadsheets by providing an all-in-one-place solution for easily documenting and linking all aspects of the ISMS, including the documentation of audit reports.
ISMS.online includes a pre-built audit programme project that covers both internal and external audits.
The pre-built audit programme includes:
Each internal audit activity contains a template for a combined audit plan and report.
Prior to conducting the audit, the template acts as the audit plan – including which areas are to be audited and providing prompts for recording when the audit will be conducted and by whom.
During or after conducting the audit, the auditor can write notes directly into the templated audit activity.
As well as simply providing the audit activity templates, ISMS.online provides the ability to quickly link to other work areas within the platform which means that linking audit findings to controls, corrective actions and improvements, and even to risks is made easy and accessible. This will enable you to easily demonstrate to your external auditor the joined-up management of identified findings.
Contact us, and we can provide support.
ISMS.online makes setting up and managing your ISMS as easy as it can get.
Easily collaborate, create and show you are on top of your documentation at all times
Find out more
Effortlessly address threats & opportunities and dynamically report on performance
Find out more
Make better decisions and show you are in control with dashboards, KPIs and related reporting
Find out more
Make light work of corrective actions, improvements, audits and management reviews
Find out more
Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers
Find out more
Select assets from the Asset Bank and create your Asset Inventory with ease
Find out more
Out of the box integrations with your other key business systems to simplify your compliance
Find out more
Neatly add in other areas of compliance affecting your organisation to achieve even more
Find out more
Engage staff, suppliers and others with dynamic end-to-end compliance at all times
Find out more
Manage due diligence, contracts, contacts and relationships over their lifecycle
Find out more
Visually map and manage interested parties to ensure their needs are clearly addressed
Find out more
Strong privacy by design and security controls to match your needs & expectations
Find out more