For many companies, preparing for ISO/IEC 27001:2022 (ISO 27001) certification is a major effort. But all the information security management system (ISMS) measures during the year also cost time and should therefore be well planned and organized. The performance of internal audits is an essential part of a well-functioning ISMS and is also a formal requirement of the standard. We asked Andrea Rupprich, Managing Security Consultant at usd AG, what she would give companies on the subject of internal audits according to ISO 27001 from her 25 years of experience in this field.
Andrea, first of all the question: what is the difference between an internal ISO 27001 audit and the actual ISO 27001 audit?
Internal audits are a recurring trial run and in the end serve the continuous improvement of the management system. They may be planned and carried out by the company with internal resources. The ISO 27001 audit, on the other hand, is a certification audit and is always performed by externally accredited auditors on behalf of a certification body.
How often are internal ISO 27001 audits to be performed?
Basically annually, but the concrete content and procedure is determined individually for each company within the framework of the so-called audit program.
What does an audit program cover?
Based on the scope of the certification, the audit program specifies the frequency of audits, the goals to be achieved, the procedures to be used, and the responsibilities for follow-up and reporting.
Does the internal audit always check everything?
No, usually not. Before initial certification, the internal audit covers all chapters of ISO 27001 and the entire scope. From then on, the audit program must ensure that the ISMS complies with the requirements issued by the organization. To demonstrate this, all business processes covered by the ISMS (according to the scope) must be audited at least once every three years, at least on a random basis.
What should I consider when planning the areas to be audited in my audit program?
It is important that it can be implemented well in practice. In other words, the areas to be audited should be able to be audited individually and with manageable effort. In addition, the criticality of the business or service processes and the severity of findings from previous audits should be taken into account when selecting audit areas.
Who are the typical participants of the audit sessions in my company?
Depending on the business process to be audited and the chapter of the standard to be audited, representatives from IT, development and the respective area, but also from HR, compliance, legal, purchasing and top management are usually present in addition to the information security officer (ISO for short). In the case of on-site inspections, employees from reception and facility management are also involved in order to enable access.
What should I consider in preparation for inspections?
The internal auditor needs site and room plans for preparation, just like the external auditor in the subsequent monitoring or certification audit. In particular, existing security zones should be visible here, and their access restrictions should be checked during the inspection. In addition, inspections always check whether information classified as confidential can be viewed unintentionally; it is therefore essential for employees to take the Clean Desk into account.
Are there any ironclad rules that have to be taken into account during an internal audit?
I would limit it to two that I find particularly important.
First, remember the "Holy Trinity" of an audit. Are all the requirements of ISO 27001 documented in guidelines, do they implement these requirements and can they prove the implementation with suitable evidence? After all, random samples are always taken during interviews, document reviews and on-site inspections. This applies to internal audits as well as to external ones.
Second: Don't worry about findings. The internal audit provides an opportunity to identify areas for improvement. So everyone involved should be honest and transparent about what the status is. This is the only way to identify deviations, which are an important basis for the continuous improvement process.
What do I get as a result of the internal audit?
The result of the internal audit is a formal audit report that can contain improvement opportunities, so-called Opportunities for Improvement (OFIs), minor and major deviations. Unlike the actual audit, this report also provides valuable concrete recommendations for action to potentially address the findings. The result thus serves as a further planning basis for determining necessary measures and investments before the actual audit is carried out.
Do you have any questions or need assistance with your internal audit? Contact us, we will be happy to help you.