ISO 27001 Internal Audit

An ISO 27001 internal audit includes examining an organization’s Information Security Management System (ISMS) prior to pursuing an ISO audit with an external auditor. The internal audit aims to help identify loopholes or shortcomings that could affect an organization’s Information Security Management System and hinder its ability to meet the required objectives as per ISO standards. It is required to complete an initial or annual ISO 27001 certification audit.

As per the ISO 27001 standard, the internal audit function is a requirement to claim full certification. That said, it is not similar to a certification review, where an organization has to use an external third-party auditor to review the documentation and process. Under internal audit, a member of staff within the organization or an independent third party, for instance, a consulting firm, can perform the audit certification process. 

 While deciding on the appropriate approach toward the execution of an internal audit, an organization must keep in mind the following points:

  • The company must ensure that the selected auditor is objective and impartial. This is important to certify that there are no conflicts of interest and that an appropriate separation of duties is effectively in place. This means that the auditor has not established or does not directly operate or monitor any of the controls falling under the internal audit. 
  • The company must ensure that the auditor is qualified to undertake the process and is competent to take auditing processes and procedures, along with being aware of the ISO 27001 standard.

Once the internal audit results are received, including nonconformities, they should be shared with the ISMS governing body and senior management of a company to ensure credibility and to identify problematic issues before proceeding to pursue the external audit.

See Scrut in action!