How to Conduct an ISO 27001 Internal Audit

In this blog, we outline what these internal audit requirements are, how to conduct an audit, and the differences between an internal and external audit.

An internal audit must meet the requirements of clause 9.2. An internal audit helps verify the ISMS’s compliance with the ISO 27001 standard and the things the business says it will do. The internal audit is an opportunity to identify noncompliance and areas for improvement during the calendar year. 

To summarise, these are your internal audit requirements in relation to 9.2.1 - Internal Audit

In relation to 9.2.2 – Internal Audit Programme:

For the exact wording of these requirements, please see the ISO/IEC 27001:2022 standard, clause 9.2. It is worth noting that ISO 27001: 2022 does deviate from the 2013 standard. If you are aligned to the 2013 version of the standard, you’ll need to review this prior to your transition to 2022.

The audit programme must detail the audit frequency and methods. A common challenge can be gaining the time of auditees and aligning diaries, so you may want to perform an annual internal audit over consecutive days or broken into separate internal audits, depending on which better suits your auditees. Each audit should also have a clear scope and agenda.

There are two approaches to conducting an ISO 27001 internal audit.

Companies such as Bridewell can perform internal audits as a service. Services such as these provide a qualified auditor who will help to scope the audit, create an agenda, conduct the audit through a combination of workshops, and perform documentation review and interviews. The auditor also provides a documented audit report.

You can also perform an internal audit using internal resources, but there are some important considerations, such as resource, competency and experience. Reporting structure is an important consideration, as there is a need to ensure objectivity and impartiality. Examples include control ownership, risk owners, line management and top management.

If a business is auditing itself, or the auditor conducts an audit on their own employer or business line, there is the potential for a conflict of interest. Something we also see is that many businesses may attempt an internal audit, only to realise they lack the expertise, resource and experience to perform it to the required standard.

The external audits are conducted by a certification body. This consists of ISO 27001 certification audits and surveillance audits.

This is where the recommendation for certification or continued certification will be made. The certification audit covers all mandatory clauses and all in scope Annex A controls. These audits are to ensure the requirements of the standard have been met.

The surveillance audits cover a sub section of the Annex A controls, but will cover the entire standard throughout the three year audit certification lifecycle. They are usually performed annually. These audits are to ensure the requirements of the standard are being maintained. 

Regardless of audit type (internal or external), the audit reports and findings must be circulated to senior management. The added significance of the external report is that the certification may not be awarded, renewed, or may face delays with rework and additional cost if there are significant and systemic findings. 

Conducting frequent and sufficiently thorough internal audits will maintain the health and management of the ISMS, which also helps in producing evidence and preparing for the external audits. 

The audit programme (Clause 9.2) will aid the definition of the internal audit scopes and frequency. We often help clients shape and schedule this activity, to help align to their own business demands and resource availability or constraints.

Clearly organised files, policies and evidence folders can aid an auditor in performing documentation reviews. Something you should consider is how to provide the auditor with access to the documentation securely, and to also manage who can access this information in general.

Some evidence will be more sensitive than others, with access managed accordingly. In comparison, company policies and security awareness material should be available to staff. Mandatory clause 7.5.3 (control of documented information) is a useful reference when planning or implementing ISMS documents.

To support the review of documented information evidence, a top tip is to collect evidence relating to the clauses and Annex A controls throughout the course of a year, and save that evidence in an access controlled folder structure/ wiki (or similar) for ease of navigation. This evidence can then be shown in both internal and external audits. 

Other evidence will need to be presented in audit sessions, which may involve auditees talking through a process and providing examples on screen. This aspect relates to the ISMS implementation, security awareness, and familiarity with the ISMS and what audits involve. This is a common talking point in our ISO 27001 implementations.

Second to this will be the documented evidence (documents, screenshots, policies, procedures, records, KPIs, incident registers, change records, minutes, non-conformance trackers, legal trackers, document registers, reports, etc.) which can be used to show the implementation of the controls listed as applicable in the statement of applicability. 

The management review is to ensure that ‘top management’ review the ISMS at planned intervals to ensure it remains suitable, adequate, and effective. Clause 9.3.2 details the inputs to be considered for the review meeting, and 9.3.3 details what must happen with the results. 

An internal audit should check that the management review is being performed to the agreed schedule, that top management participate, and that the requirements relating to inputs and results are evident. Evidence can include review minutes and the corresponding actions and updates which are managed via the meeting. The results of audits are a mandatory agenda item in the management review.