Data breaches and cyber attacks occur every single day, making cybersecurity not only an increasing concern for businesses, but also highlighting the risks of non-compliance.
As a framework which defines the best-practice approaches for managing cyber risk, the ISO/IEC 2700 is the international standard used to manage an organisation’s Information Security Management System (ISMS).
Simply put, achieving and maintaining ISO 27001 certification can be a way to prevent risk of data breaches and cyber attacks.
Additionally, being ISO certified can be an excellent way to gain and maintain customer trust.
A core part of successfully maintaining and implementing ISO 27001 is the regular and independent conduction of internal audits.
An ISO 27001 internal audit is an examination of your organisation’s information security management system (ISMS) to make sure it meets the standard requirements. In other words, it’s an evaluation of performance.
This is based on clause 9.2 of the ISO 27001 standard, requiring that information is provided on whether the ISMS:
9.2a — conforms to the businesses own requirements for its ISMS
9.2b — conforms to the requirements of the standard
The reason for conducting the internal audit is to ensure the processes undertaken by the business to comply with ISO 27001 are aligned (or rather, are without non-conformities) with the ISO 27001 standard.
Due to this, internal audits must be conducted at least once a year, in order to ensure the ISMS is fulfilling its own system requirements, as well as the requirements of ISO 27001.
When audits are implemented effectively, the results can be highly informative when it comes to changing your ISMS for the better.
Internal audits are performed with the goal of determining how effective your ISMS is, as well as uncover any non-conformances.
In turn, this will inform any future improvements.
In short, ISO 27001 internal audits can also be extremely beneficial for an organisation, given that they can give your organisation confidence that the ISMS and respective processes are:
As long as they are competent and impartial, any person within your organisation can follow this checklist in order to meet ISO 27001 internal audit requirements:
To begin with, review all the documentation created by your organisation when implementing your ISMS. This will help you become familiar with the processes within the ISMS.
After getting acquainted with the documentation, the next step is to identify the key stakeholders in the ISMS and plan which departments to audit, and when.
A simple way of doing this is by establishing checkpoints.
Communicating the above to management can clarify whether timings are realistic, and how to manage staff availability for the audit.
This is the actual audit, during which you will:
This stage involves comparing the findings from step 1 (documentation review) against step 3 (field review), and noting where the documentation and the evidence do not align.
As part of Clause 9.2, you are required to “retain documented information as evidence of […] the audit results”.
In other words, you will need a final report in order to present your findings to management. This will also drive the action plan undertaken by management aimed at addressing any observations or non-conformities.
Your ISO 27001 internal report should include:
Firstly, with Klarity Works you can centralise all your compliance documentation, including your policies, procedures and guidelines, as well as any other documentation that might act as supporting evidence.
Secondly, all documentation can be tagged, so it is categorised in a way that suits your ISMS, and easily found using our search filters – which can be pre-saved and shared with key members of your organisation.
Thirdly, you are able to easily assign the right documents to the right people, all whilst having full visibility of progress, and your people can stay aligned to the direction of your ISMS.