Mastering ISO 27001: How to Conduct an Internal Audit

Please note new versions of ISO 27001 and ISO 27002 have now been published.

To learn more about what these updates mean for your organisation, and to buy your copies of ISO 27001:2022 and ISO 27002:2022, please visit our information pages.

To stay compliant with ISO 27001, you need to conduct regular internal audits.

An ISO 27001 internal audit will check that your ISMS (information security management system) still meets the Standard’s requirements.

Developing an ISO 27001 audit program can be beneficial since they enable continual improvement of your framework.

This post will explain how to audit ISO 27001.

What is an internal audit?

An ISO 27001 internal audit involves a thorough examination of your organisation’s ISMS to ensure that it meets the Standard’s requirements.

Unlike a certification review, it’s conducted by your staff, who will use the results to guide the future of your ISMS.

The requirements of an internal audit are described in clause 9.2 of ISO 27001.

Why audit an ISMS?

ISO 27001 internal audits provide proactive assurance that the management system and its processes conform with the requirements of the Standard.

It also assures that those processes are communicated throughout the organisation, understood by employees and key stakeholders and executed effectively.

The objective of the audit is to determine any non-conformities, determine the ISMS’s effectiveness and provide the opportunity to improve.

Internal audit benefits

  • Uncover nonconformities before others discover them
  • Ensure a strong security stance by identifying areas that require attention before a security event
  • Demonstrate and inform management commitment
  • Assist staff understanding and awareness
  • Inform continual improvement

ISO 27001 internal audit checklist

To help you meet the ISO 27001 internal audit requirements, we have developed a five-step checklist that organisations of any size can follow.

1) Documentation review

You should begin by reviewing the documentation you created when implementing your ISMS.

This is because the audit’s scope should match that of your organisation.

Therefore, doing so will set clear limits for what needs to be audited.

You should also identify the main stakeholders in the ISMS.

This will allow you to easily request any documentation required during the audit.

2) Management review

The management review is where the audit activity begins to take shape.

Before creating a detailed audit plan, you should liaise with management to agree on the timing and resourcing for the audit.

This will often involve establishing set checkpoints at which you will provide interim updates to the board.

Meeting with management at this early stage allows both parties the opportunity to raise any concerns they may have.

3) Field review

The field review is what you might think of as the ‘audit proper’. At this stage, the practical assessment of your organisation takes place.

You will need to:

  • Observe how the ISMS works in practice by speaking with front-line staff members.
  • Perform audit tests to validate evidence as it is gathered.
  • Complete audit reports documenting the results of each test.
  • Review ISMS documents, printouts and any other relevant data.

4) Analysis

The evidence collected in the audit should be sorted and reviewed in relation to your organisation’s risk treatment plan and control objectives.

Occasionally, this analysis may reveal gaps in the evidence or indicate the need for more audit tests.

5) Report

You will need to present the audit’s findings to management. Your ISO 27001 internal audit report should include:

  • An introduction clarifying the scope, objectives, timing and extent of the work performed.
  • An executive summary covering the key findings, high-level analysis and a conclusion.
  • The intended recipients of the report and, where appropriate, guidelines on classification and circulation.
  • An in-depth analysis of the findings, conclusions and recommended corrective actions.
  • A statement detailing recommendations or scope limitations.

Further review and revision might be needed because the final report typically involves management committing to an action plan.

How often do I need to conduct an audit?

Like many standards, ISO 27001 doesn’t specify how often an organisation needs to conduct an internal audit.

That’s because every organisation’s ISMS is different and will need to be treated as such.

Experts recommend carrying out an internal audit annually. This ISO 27001 audit frequency won’t always be possible, but you need to conduct an audit at least once every three years.

This is the length that most ISO 27001 certification bodies validate an organisation’s ISMS for. This suggests that, beyond this point, there’s a good chance that the organisation has fallen out of compliance.

ISO 27001 internal audit plan template

You can take the hassle out of the audit process and save time and money with our market-leading ISO 27001 ISMS Documentation Toolkit.

Developed by expert ISO 27001 practitioners, it contains a customisable scope statement and templates for every document you need to implement and maintain an ISO 27001-compliant ISMS.

The ISO 27001 ISMS Documentation toolkit includes a template of the internal audit procedure.

Subscribe to our Weekly Round-up

A version of this blog was originally published on 18 July 2018.