How to Conduct an Internal Audit of an ISMS Based on ISO 27001

As part of the Information Security Management System (hereinafter ISMS) cycle of this international standard, organizations must carry out internal audits at planned intervals to provide information about whether the information security management system complies with the organization’s own established requirements and the requirements of the international standard ISO 27001, as well as to verify that the system is effectively implemented and maintained.

The organization must follow these steps to conduct the internal audit:

An audit plan must be defined that includes the frequency and execution dates, scope, methodology of the audit itself, and the assignment of interlocutors for planning, conducting, and reporting results. This plan should include a description of physical locations, organizational units, activities and processes, as well as start and end dates.

It is important to emphasize that internal audits must be carried out by personnel who have not participated in the implementation of the ISMS, to ensure the objectivity and impartiality of the audit and the independence of the auditors.

Audits will be conducted at least annually, and always before the certification or follow-up audit.

The audit scope will include the review of the complete management system, based on the ISO/IEC 27001 standard, as well as the review of a selection of controls implemented in the entity. This selection of controls will be made by mutual agreement between the Lead Auditor and the ISMS Manager, with information from the Statement of Applicability (SoA). Additionally, it must be ensured that all controls in Annex A (control objectives and reference controls) of the ISO 27001 standard have been audited in a 3-year cycle

To ensure proper execution of the audit, the auditor will previously inform the managers of the audited areas that they will be subjected to an internal audit process and will request the necessary documentation in advance to analyze it and subsequently develop the audit.

The Internal Audit of the ISMS consists of reviewing two distinct parts:

• Management System: review of documentation, review of the ISMS management framework, context, scope, risk analysis and management, statement of applicability (SOA), security policy, security roles, non-conformity management, dashboard, etc.
• Compliance tests: in this phase, the degree and effectiveness of the implementation of security controls in the entity are checked. Interviews will be conducted with asset owners, business process managers, direct or indirect users of the ISMS, risk areas are reviewed, established objectives and goals are checked, on-site system documentation, etc.

Once the necessary evidence has been collected to verify compliance with the different sections and controls of the standard, the internal audit report is generated, the results of which must be communicated to the organization’s Management, the audited areas, and the Security Committee for evaluation and treatment at the corporate level.

The ISMS manager will be responsible for reporting the results obtained, as well as maintaining the records derived from conducting internal audits.

The report will contain at least the following points:

• Audited areas and scope, as well as the audit date.
• Non-conformities and observations found, agreed upon with the auditees.
• Assessment of the strengths and areas for improvement of the ISMS.
• Proposed corrective actions for the identified qualifications or non-conformities, aimed at ensuring compliance with a particular existing deviation.
• Recommendations, which are not corrective actions for a particular qualification, but opportunities for improvement or actions that could lead to an evolution or greater maturity of the audited process in question, but which currently do not constitute a qualification or non-conformity.
• Audited documentation.
• Auditor(s) signature.

After completing the internal audit report, the ISMS manager should establish follow-up actions to verify the effectiveness of the corrective actions derived from the internal audit. These action plans should be approved at the highest possible level in the organization, to ensure the correction of those issues or processes that are not being fully complied with.

Contracting an external audit service with specific knowledge in the subject matter to be audited is key for your company to have an objective audit report. The consulting team at GlobalSuite Solutions guarantees the success of the internal audit work, as well as the implementation of the proposed action plans for correcting deviations.