OUR THOUGHTS ON:

Meeting the Internal Audit Requirement for ISO 27001:2013

Risk Advisory/Internal Audit

By Andrew Jackson

ISO 27001:2013 is an information security framework published by the International Organization for Standardization (ISO) that formally specifies an Information Security Management System (ISMS), the framework through which an organization identifies, analyzes and addresses its information risk. It comprises 14 controls groups that consist of 35 control objectives and 114 controls, as described within Annex A of the requirements documentation. Clauses 4-10, described in detail within, are required to certify an ISMS against ISO 27001:2013 and focus on the context, leadership, planning, support, operations, evaluations and improvement of the organization.

Why do I need an Internal Audit?

One of the core functions of an ISMS is an independent and periodic Internal Audit against the requirements set within the ISO 27001:2013 standard. The function is specifically called out within Clause 9.0, Performance Evaluation. Clause 9.2, in fact, mandates the organization conduct Internal Audits at planned intervals to provide information on whether the ISMS conforms to the organization’s own requirements for its ISMS and the requirements of the International Standard.

Each organization must complete the following steps to comply with this clause requirement:

  • Plan, establish, implement and maintain an audit program, including the frequency, methods, responsibilities, planning requirements and reporting. The audit program should take into consideration the importance of the processes concerned and results of the previous audits;
  • Define the audit criteria and scope for each audit;
  • Select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
  • Ensure the results of the audits are reported to relevant management; and
  • Retain documented information as evidence of the audit program and the audit results

What needs to be completed for the Internal Audit?

The main thing the Internal Audit is not is a tick-box exercise. The Audit should be derived from the issues, scope, locations, departments, processes, risk and the Statement of Applicability. The full Internal Audit only has to be completed once every three years of the ISO 27001:2013 certification cycle, but completing the full process each year allows you to view how the business works in practice, and permits the ability to discover opportunities for improvement or uncover a possible risk that might not have been observed by simply performing a surveillance audit.

The five stages to an ISO 27001:2013 Internal Audit include:

  • Document Review. Review and read all documentation created when you implemented your ISMS program, which will set clear limits on the scope of what needs to be audited;
  • Audit Plan. Auditors and management should create a detailed checklist of what needs to be completed. This plan should also include the timing and resources for the Internal Audit;
  • Field Review. Auditors will complete fieldwork for the whole company, talk with employees, check equipment and observe how the ISMS works throughout the organization. Testing will also be conducted around processes and procedures;
  • Analysis. Evidence that has been collected should be reviewed in relation to the risks and control objectives; and
  • Report. The findings of the audit should be presented to management in a formal report.

Following these five steps will allow for a successful and meaningful Internal Audit around your ISMS against the ISO 27001:2013 standards, and will be a major step in improving your organization and ISMS.

Why can’t I complete my own Internal Audit?

Many organizations believe they can conduct their own Internal Audit of ISO 27001:2013, but then realize the individuals who would be completing the process have operational control or ownership of the controls being audited. This leads to an independence issue that would render the audit insufficient. To combat these issues, organizations often outsource their Internal Audit requirement to CPA firms like Schneider Downs, an organization that possesses the appropriate knowledge of Internal Audit and ISO 27001:2013.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments