As someone working at an organisation which is ISO 27001 certified and has recently passed its annual surveillance audit, I have come to appreciate the role of the ISO 27001 ISMS Internal Auditor.
As a matter of fact, it’s hard to imagine that any organisation can succeed in achieving and maintaining ISO 27001 compliance without employing Internal Auditors. Our Internal Auditor for example, was instrumental in reviewing the effectiveness of the selected security controls and recommending suitable modifications where requirements weren’t met. In other words, he played a major role in our company passing the surveillance audit, which was not only necessary, but also a rewarding task.
Whilst smaller organisations can probably cope with just one ISO 27001 ISMS Internal Auditor, medium-sized and large organisations usually need to appoint a couple of Internal Auditors from various departments, e.g. HR, Finance, Sales, IT, etc. Appointing Internal Auditors by departments scales up the responsibility and reduces the risk for mistakes that could arise from under-resourcing. Appointing Internal Auditors by department also improves the integrity of the ISO 27001 CAPA (Corrective and Preventive Action) programme.
An ISO 27001 ISMS Internal Auditor is is very useful during the implementation phase of the ISO 27001 ISMS project, as they provide strategic guidance and set goals for the audit programme. They then play a major role after the completion of the ISMS project and once ISO27001-compliance has been achieved by reviewing and maintaining compliance.
Senior Managers make good candidates for Internal Auditors. For example, HR Managers can particularly benefit from qualifying as an Internal Auditors as they are used to ensuring policies are kept up-to-date with standards and acts, such as the Data Protection Act (DPA). Becoming part of the ISO 27001 ISMS team can make their job easier as they’ll already be up-to-speed with meeting the relevant requirements.
Becoming an ISO 27001 ISMS Internal Auditor provides professionals with generic auditing skills which can be used in different environments (not just in the context of ISO 27001 compliance). Internal Auditors are also valuable to an organisation for auditing third party suppliers and partners to ensure they have adequate security controls in place.
As the trainer for the ISO 27001 ISMS Internal Auditor Training Course, Nick Orchistron says he always aims to help delegates look beyond pure compliance as it’s important that they have their eyes set on improvement too. Nick provides his delegates with hints and tips on ways to approach auditing, both from an auditor’s perspective and that of an auditee to make the process simpler and more successful.
Appointing, or becoming, an ISO 27001 ISMS Internal Auditor will streamline the process and ensure compliance is withheld and maintained. The ISO 27001 ISMS Internal Auditor Training Course will prepare delegates for the job, provide them with useful hints and tips, whilst making the learning process enjoyable. Either way you look at it, appointing or becoming an ISO 27001 ISMS Internal Auditor is a win-win situation for both the individual and the organisation.