What are the Basics of Internal Auditing?

ISO 27001 Requirement

The internal audit requirements are stipulated in Clause 9.2 of ISO/IEC 27001.  In order to address this as an integral part of management system processes in general, it is recommended that you approach this as a business process, not a stand-alone process you have to do because the Standard says so.  Implementation of an audit process is not a one-off activity to achieve certification, but a recurring process that will be triggered at regular intervals or when there is a significant change in the organisation.  

Once the audit process has been established, we need to identify the auditors.  As stated above, auditors must be selected who will ensure the objectivity and impartiality of the internal audit process.  For the purpose of meeting the requirements of ISO 27001, identifying competent, impartial and objective auditor(s) includes setting the requirements that would sustain any reproach from third parties.

Selected auditor(s) can be internal personnel who are already auditors or those who you train to be auditors.  You can seek external support if you prefer.  The choice is entirely yours, as long as these individuals are not assessing anything that they have been involved in developing or implementing.  It is common practice to outsource this activity to ensure the three pillars of internal auditing are preserved: competency, objectivity and impartiality.

Audit process

As part of the audit process, a schedule or programme must be established, planned, implemented and maintained.  A key practical consideration here may be to avoid any audits taking place during challenging business periods.  This is particularly relevant to those organisations who are subject to regular regulatory and client audits, and want to avoid ‘audit fatigue’.

Likewise, due care should be taken not to extensively audit certain business areas if it can be avoided, in order to avoid any criticism that departments/functions are either being picked upon or being neglected.  Naturally, however, those business areas identified as being critical by the risk assessment will feature prominently in any audit programme.

‍

During the actual audit, all pertinent employees need to be available for interview and to provide evidence, where required, to support the audit.  It is important that employees don’t feel as if they are being subjected to an interrogation and that they understand the audit is all part of a process to continually improve the ISMS.  It is also important that the audit is documented, typically in the form of a report, recording who was spoken to, what was said and importantly, what evidence was found along with a summary of the findings.  It should also contain:

• Nonconformities identified if any
• Opportunities for improvement.

Identification of nonconformities can stem from the organisation’s lack of compliance with the requirements of the Standard, or its own ISMS requirements as defined in policies/processes and identified legal and regulatory requirements.

From an ISO 27001 perspective, following the internal audit, the findings need to be tracked and managed with remediation activities identified.  Often this is through the corrective action or continual improvement process.  The findings, and possibly the report, will be key inputs to the management review, providing an indication of the health of the organisation’s ISMS and overall information security position.

Conclusion

As one of the most important management system processes, internal audit will provide benefits internally and externally by providing evidence that:

• An organisation has implemented and actively maintains its ISMS
• Top management’ is actively involved in ensuring that the ISMS is fit for purpose
• An organisation is continually working on improving its ISMS
• ISMS processes and security controls are reviewed and audited at regular intervals.

‍