How to conduct an internal audit for your organization

Internal audits are just as important for ISO 27001!

Prepare for a ISO 27001 internal audit is a daunting task, especially if you’ve never done one before. But do not worry ! Obtaining ISO 27001 certification is a great thing for your business. This shows you care about your safety and especially, your customer’s safety. Nevertheless, the latter will bring you more loyalty and help you develop your clientele.

In this article, I will explain what ISO 27001 is and why it is important. Then we will enter what is involved in an internal audit. To finish, I will share a handy checklist to help you along the way. Let’s take a look and see what ISO 27001 is.

ISO 27001 and its importance

ISO 27001 is an international standard established by the International Organization for Standardization. 167 countries around the world recognize the ISO standard.

In particular, ISO 27001 standardizes the protection of information assets. This includes paper files, documents, binders, binders, emails, etc. The objective of the ISO 27001 standard is to protect this data. He ensures all the policies on this subject are indeed up to date. It also checks whether the company is following the guidelines set by the ISO.

The ISO standard measures your business against many standard criteria. More specifically, the standard consists of 114 controls in 14 groups and 35 control categories. Let’s take a look at these.

ISO 27001 control groups

To clarify, ISO 27001 will hold your business accountable according to these 14 groups:

  1. A.5: Information security policies
  2. A.6: Organization of information security
  3. A.7: Security of human resources
  4. A.8: Asset management
  5. A.9: Access control
  6. A.10: Cryptography
  7. A.11: Physical and environmental security
  8. A.12: Security of operations
  9. A.13: Communications Security
  10. A.14: Acquisition, development and maintenance of the system
  11. A.15: Relations with suppliers
  12. A.16: Information security incident management
  13. A.17: Information security aspects of business continuity management
  14. A.18: Compliance with internal and external requirements, such as laws

Now, how to conduct an internal audit on your company? Where to start ? What documentation should you follow? Well, I have some required reading to help you answer those questions.

ISO 27001 Mandatory Requirements

The first thing to remember is that not all organizations are alike. Therefore, not all controls apply to them. However, before you even begin the audit, you will need to draft and define your Information Security Management System (ISMS). The ISMS is essentially your guide to your organization’s security policy.

In addition, the ISO 27001 standard clause 6.12 states that you must carry out a risk assessment and set a risk treatment methodology. In other words, if you find a risk, what is your process for addressing that risk?

In addition to this, you will also need to write your documentation on some required clauses:

    Image of mandatory documentation clauses for ISO 27001.
Above all, don’t forget your documentation!

You can also find more information about each clause here.

Because of these clauses, the first phase of certification can take up to 6 months to complete. If you haven’t documented these processes yet, get a team together and write. Besides the documentation, let’s now look at the the stages of internal audit himself.

What is an ISO 27001 internal audit?

In total, the audit consists of 5 parts.

1. Literature Review

To begin with, this is a review of your the organization’s policies, procedures, standards and guidance documents to ensure it is fit for purpose, reviewed and maintained. These documents are the ones I discussed in the previous section. The auditor will then verify that you have the documentation and that it meets the criteria.

2. Audit of evidence

This is an audit activity that evidence samples. This demonstrates that workers are comply with policies, following procedures and standards, and given the advice. You can collect this evidence by talking to employees about processes and procedures, as well as taking samples of work items.

3. Analysis

Following the review of documentation and the sampling of evidence, the auditor will assess and analyze the findings. Consequently, they will confirm if the Standard requirements are met.

4. Audit report

Once the analysis is complete, you will prepare an audit report and provide it to management to ensure visibility. This is a mandatory step regardless of the outcome of the audit.

5. Management review

Finally, management should review the report and consider the findings checks. Next, you must ensure that the necessary corrective actions and improvements are implemented.

To make sure you are prepared for the audit, I have prepared a checklist for your convenience in the following section.

ISO 27001 Audit Checklist

This checklist will help you and help you prepare for your audit. The last thing you want is to enter the audit phase unprepared, which obviously lengthens the process further.

Image of a group of employees gathered around a desk analyzing a paper.
Generally, the audit process takes time, so be sure to prepare the team well in advance!

1. Literature Review

  • review all The documentation you used when you started creating your ISMS
  • Ensure the the scope of the audit matches your organization (this will help you establish well-defined boundaries in the audit process)
  • Identify all important people in your ISMS and come back to them for requests for information that the auditor requests

2. Management review

  • Start meeting with management early and establish rules, communication, expectations and a schedule
  • Schedule regular review meetings to ensure that both parties complete tasks in a timely manner

3. Field review

  • Talk to IT to assess how the ISMS works in real life (this will help you determine if it is being ignored)
  • Perform audit testing and gather evidence to establish what works and what doesn’t
  • Document the results of each test in a report
  • Review your ISMS and other related information to compare your results

4. Analysis

  • Sort and review evidence and findings regarding your risk treatment plan
  • Analyze the gaps in your process or do more tests

5. Report

  • Create a report to present to the management team
  • Write an introduction clarify the scope, objectives, timing and extent of the audit
  • Create an executive summary to cover the main findings, a high-level analysis and an overall summary of the audit
  • List intended recipients findings, conclusions and recommended corrections
  • Conclude with a statement detailing recommendations and scope limitations

In short, this comprehensive checklist will help you define your tasks for your internal audit. I hope this will help you prepare as much as possible.

Last words

After reading this article, you should surely be ready to prepare for an internal audit for your ISO 27001 certification. I showed you everything the parameters that ISO checks, but you still need to know which ones apply to your organization. I’ve also detailed the entire audit process and given you a checklist to refer to at each step.

You have done well to embark on the path to ISO 27001 certification. Good luck in your quest!

If you have any questions on the subject, consult the FAQs and Resources headings below.


What are the benefits of obtaining an ISO 27001 certificate?

The ISO 27001 certificate proves to your customers and the business community at large that your the organization takes data security seriously. ISO 27001 is an international standard recognized in 167 countries. No matter where you do business in the world, your certification will be recognized. Therefore, it reflects your seriousness about security.

Who carries out the ISO 27001 audit itself?

You carry out an internal audit yourself. Conversely, an ISO auditor will carry out your certification audit. In fgeneral, internal audits can help you maintain your certification or help you prepare for a first certification audit to avoid any surprises.

How often should I do an internal audit?

There is no guideline indicating a time frame for internal audits, but it is usually a good idea to do it annually. However, annual audits consume a lot of resources, so they may not be ideal. As a result, many prefer conduct them every two to three years.

What is an ISMS?

ISMS stands for Information Security Management System. It is a guide to your organization’s security systems, protocols, and the people who work directly with them. Essentially, your ISMS helps you protect and manage your organization’s information and data through effective risk management mitigation. It also allows you to comply with many laws, including the GDPR (General Data Protection Regulation). Finally, it focuses on protecting three key aspects of information: confidentiality, integrity and availability. In short, it is the keystone of an ISO 27001 audit.

How long does an internal audit take to complete?

It really depends on the size of your organization, the number of people working there, and the current state of existing documentation. On average, it can take anywhere from 2-4 months to complete a verification.


TechGenix: The Journey to ISO 27001 (Part 1)

Find out how to get started on your path to certification.

TechGenix: The Journey to ISO 27001 (Part 2)

Continue your path to certification.

TechGenix: article on ISO 27001 and obtaining certification

Find out what ISO 27001 is and how to get certified.

TechGenix: Guide to obtaining ISO 27001 certification

Here’s a step-by-step guide on how to get started on your path to certification.

TechGenix: ISO Standards of Interest Article

Learn more about some notable ISO standards.

Comments are closed.