When it comes to ISO 27001, implementing a holistic information security management system (ISMS) in order to meet the standard is difficult—particularly where the internal audit requirement is concerned. As an experienced ISO Certification Body, we consistently hear feedback that the internal audit function is a particularly tricky part of the ISO 27001 standard.
To help you avoid the confusion and difficulties other organizations have experienced, we’re going to address the complexities of the ISO 27001 internal audit by breaking down the explicit requirements stated within the standard.
What is ISO 27001 Clause 9.2?
The common cause of confusion around the internal audit is that many organizations go into it thinking that, functionally, it’s just a simple walkthrough of organizationally specific processes and applicable controls; however, they soon realize that the ISO 27001 internal audit is actually more stringent and control-focused than originally believed.
The reason being, in order to successfully meet the ISO 27001 requirements for internal audit, organizations need to review the framework in addition to all in-scope Annex A controls based on their Statement of Applicability (SOA). As such, implementing Clause 9.2—which is where all the detailed requirements for your internal audit function are located within the standard—can be challenging, especially for smaller organizations.
There are two main reasons for why Clause 9.2 can be challenging to meet:
- The prescriptive nature of the requirements
- The need for resources that:
- Are objective and impartial to the ISMS; and
- Possess the requisite competencies to perform the internal audit function
While we can’t help with compiling your resources, we can explain in more detail each of the requirements addressed by each subclause of 9.2.
ISO 27001 Clause 9.2 Breakdown
The first section we can get through quickly:
- 9.2.1 requires that you conduct internal audits at planned intervals to provide information on whether the ISMS is does the following:
- conforms to your own requirements of the management system (e.g, accomplishing stated objectives or metrics, compliance with regulatory and legislative requirements, compliance with organizational policies and standards, etc.)
- conforms to the requirements of the standard
- is effectively implemented and maintained
But what does “conform to the requirements of the standard” really mean? Let’s take a look at the additional explicit requirements documented within this clause so that you understand exactly how to approach your internal audit.
ISO 27001 Clause 9.2.2 - Internal Audit Programme
What The Standard Says to Do:
- Plan, establish, implement, and maintain an audit program, including the frequency, methods, responsibilities, planning requirements, and reporting
- Document information as evidence of the audit programme(s) implementation and the audit results
How to Comply: Your audit program should be documented to include:
- The frequency and timing of internal audit functions
- The methods by which the internal audit will be conducted
- Assignment of responsibilities determining documentation requirements for the planning, performance, and reporting of internal audit results
In recording all this, make sure to consider the importance of the relevant processes and any results of previous audits (i.e., previous findings or issues).
ISO 27001 Clause 9.2.2a - Audit Criteria and Scope
What The Standard Says to Do: Define the audit criteria and scope for each audit.
How to Comply: While your audit program may also take a higher-level look at your internal audit function as a whole, it may be necessary to document the specifics of each audit that you plan.
With respect to the internal audit of the controls within your SOA, you might opt for a risk-based approach in this due to:
- Available resources
- The need for more a frequent review of controls and processes mitigating higher risks
- Directives by management or ISMS owners
Each of your periodical internal audits should be accompanied by documentation of the criteria and scope of the audit to ensure objectives are met.
ISO 27001 Clause 9.2.2b - Auditor Selection and Independence
What The Standard Says: Select auditors to conduct audits that ensure the objectivity and impartiality of the audit process.
How to Comply: When selecting the audit team that will be responsible for conducting internal audit activities, the objectivity and impartiality of the members are paramount. Not only should the people you choose take care to ensure they are not auditing functions over which they have operational control or ownership, but impartiality is also especially important when considering the auditors who will be reviewing your ISMS against the standard.
In our experience, that’s one of the more common areas we encounter nonconformities—the internal audit of the ISMS against the standard.
Many times, organizations will select an internal auditor who had an integral role in developing the ISMS or who continues to have a role in decision-making for the maintenance and direction of the ISMS. But if that’s the case—if the internal auditor is auditing work that he/she created, or if the responsibility of initiating or implementing any corrective action falls back to that internal auditor—there may be an issue of independence, so you should take care to avoid this misstep.
ISO 27001 Clause 9.2.2c - Reporting on Audit Results
What The Standard Says: Report the results of the audit to relevant management.
How to Comply: Once you complete your internal audit, the internal auditor has a responsibility to ensure the results are reported to appropriate management. These results should be communicated via the management review that occurs on at least an annual basis.
Once your internal audit program is created, approved, and tested, and you establish this review cadence, your process should mature and improve over the following years.
Moving Forward with ISO 27001 Certification
Your ISO 27001 internal audit is about validating the effectiveness of your ISMS through substantive testing and reporting of the results. If you can successfully implement the requirements of Clause 9.2, as outlined here, you’ll be more easily able to consistently do this, though you will need support and input from top management.
The ISO 27001 internal audit may be one of the toughest hurdles to certification, but now you’re better equipped to tackle it. If you’re ready to begin your ISO 27001 internal audit or certification journey, Schellman can help. Contact us today to learn more about our services and we’ll get back to you shortly.
In the meantime, to help deconstruct some of ISO 27001’s other complexities and updates, check out our other content to ensure you’re that much more prepared for certification: