ISO 27001:2022 Clause 9.2 Internal audit

ISO 27001:2022 25 Minutes

9.2.1 General

The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

  1. conforms to
    • the organization’s own requirements for its information security management system;
    • the requirements of this document;
  2. is effectively implemented and maintained.

9.2.2 Internal audit program

The organization shall plan, establish, implement and maintain an audit programs, including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit program, the organization shall consider the importance of the processes concerned and the results of previous audits.
The organization shall:

  1. define the audit criteria and scope for each audit;
  2. select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
  3. ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the implementation of the audit programmes and the audit results.

Clause 9.2 is focused on internal audits within the context of an Information Security Management System (ISMS). This clause is crucial for ensuring that an organization’s ISMS is effectively implemented, maintained, and continually improved.Internal audits play a crucial role in providing independent assurance that the ISMS is effectively implemented and continually improved. They help identify areas for improvement, ensure compliance with ISO 27001 requirements, and contribute to the organization’s overall risk management and security objectives. Organizations are encouraged to approach internal audits as a valuable tool for learning and improvement, using the findings to enhance their information security processes and controls. Compliance with Clause 9.2 is essential for maintaining the integrity and effectiveness of the ISMS.Below is an overview of Clause 9.2:

Internal Audit Program

Intent: Establish an internal audit program to systematically review the ISMS.

Requirements:

  1. Develop an internal audit program that takes into account the organization’s objectives, risks, importance of processes, and the results of previous audits.
  2. Ensure that the audit criteria, scope, frequency, and methods are defined in the internal audit program.
  3. Appoint auditors and ensure their independence and objectivity.
  4. Ensure that auditors have the necessary competence and knowledge of both audit techniques and the ISMS.

9.2.2 – Internal Audit Process

Intent: Conduct internal audits to provide information on the ISMS’s conformity and effectiveness.

Requirements:

  1. Plan the internal audits based on the organization’s objectives and the importance of the processes.
  2. Define the audit criteria and scope for each audit.
  3. Select auditors and conduct audits to ensure objectivity and impartiality.
  4. Ensure that the audit process considers the findings of previous audits.
  5. Communicate the results of the audit to relevant management.
  6. Ensure that corrective actions are taken without undue delay to address identified nonconformities.

Key Points:

  • Audit Program: The organization needs to have a structured plan for internal audits. This plan should consider the organization’s objectives, risks, and the criticality of processes. It should also take into account the results of previous audits.
  • Audit Criteria and Scope: Clearly define the criteria and scope for each internal audit. This involves determining what aspects of the ISMS will be assessed and against what criteria.
  • Competence of Auditors: The auditors must be competent and possess the necessary knowledge of audit techniques and the ISMS. Their independence and objectivity are also emphasized.
  • Audit Process: Internal audits should be carefully planned, conducted, and documented. The results of the audits should be communicated to relevant management.
  • Corrective Actions: If nonconformities are identified during the audit, corrective actions must be taken promptly to address these issues.

The organization shall conduct internal audits at planned intervals

Conducting internal audits for an Information Security Management System (ISMS) at planned intervals is a critical element in ensuring the effectiveness and continual improvement of the system. Below are steps and considerations for conducting ISMS internal audits at planned intervals:

  • Develop a Schedule:
    • Create a schedule that outlines when internal audits will be conducted. This schedule should be based on the organization’s objectives, risk assessments, and the criticality of processes.
  • Define Audit Criteria and Scope:
    • Clearly define the criteria and scope for each internal audit. This involves determining what aspects of the ISMS will be assessed and against what criteria.
  • Appoint Competent Auditors:
    • Choose auditors who are competent in audit techniques and have a good understanding of the ISMS and its requirements.
    • Ensure that auditors are independent and objective. They should not audit their own work.
  • Document Details:
    • Create documentation that outlines the internal audit program, including details of planned intervals, criteria, scope, and methods.
    • This documentation serves as a reference point for auditors and ensures consistency in the audit process.
  • Pre-Audit Planning:
    • Before the audit, conduct pre-audit planning. This involves reviewing previous audit findings, determining the audit scope, and identifying areas of focus.
  • Communication:
    • Communicate the audit schedule and objectives to relevant stakeholders. This includes the auditees, who should be informed of the audit process and its purpose.
  • Follow the Audit Plan:
    • Adhere to the audit plan, which includes the audit criteria, scope, and methods defined in the internal audit program.
  • Interviews and Document Review:
    • Conduct interviews with relevant personnel and review documentation to assess compliance with the ISMS.
  • Observations:
    • Observe processes and activities to verify that they are being performed in accordance with the ISMS requirements.
  • Record Observations:
    • Document audit findings, including both positive aspects and areas for improvement.
    • Use a standardized format for recording observations, ensuring clarity and consistency.
  • Feedback Session:
    • Hold a feedback session with auditees to communicate the audit results.
    • Clearly communicate any nonconformities and areas for improvement.
  • Corrective Action Plan:
    • Develop a corrective action plan to address identified nonconformities.
    • Assign responsibilities and set deadlines for corrective actions.
  • Management Review:
    • Present the audit findings during management reviews.
    • Use the results of the internal audit to inform decision-making and strategic planning.
  • Continuous Improvement:
    • Implement improvements based on lessons learned from the audit process.
    • Continually refine the internal audit program based on experience and changing organizational needs.
  • Verify Corrective Actions:
    • Conduct follow-up audits to verify the effectiveness of corrective actions.
    • Ensure that nonconformities have been adequately addressed.

By following these steps, an organization can establish a robust internal audit process for its ISMS. Regular and systematic internal audits contribute to the ongoing effectiveness of the ISMS, help identify areas for improvement, and ensure that the organization remains compliant with ISO 27001 requirements.

The organization shall conduct ISMS internal audit to provide information on whether the information security management system conforms to the organization’s own requirements for its information security management system and the requirements of ISO 27001 standard.

This statement reflects a commitment to assessing and verifying the alignment of the Information Security Management System (ISMS) with both the organization’s internal requirements and the ISO 27001 standard. Here’s how the organization can fulfill this requirement:

  • Audit Criteria:
    • Define audit criteria based on both the organization’s internal requirements and the ISO 27001 standard.
    • Ensure that the audit criteria cover all relevant aspects of information security.
  • Scope:
    • Clearly define the scope of the internal audit, specifying the boundaries and areas to be assessed within the ISMS.
  • Review Internal Requirements:
    • Ensure that the organization’s internal requirements for the ISMS are well-documented.
    • Review policies, procedures, and other relevant documents to understand internal expectations.
  • ISO 27001 Compliance Checklist:
    • Develop a checklist or audit plan that includes requirements from the ISO 27001 standard.
    • Use this checklist during the audit to systematically assess compliance.
  • Training and Competence:
    • Ensure that internal auditors are adequately trained and competent to assess both the organization’s internal requirements and ISO 27001 compliance.
  • Independence and Objectivity:
    • Emphasize the importance of auditor independence and objectivity during the audit process.
  • Structured Auditing Process:
    • Follow a structured auditing process that includes interviews, document reviews, and observations.
    • Use the defined audit criteria and checklist to guide the audit process.
  • Evaluate Conformance:
    • Evaluate whether the ISMS conforms to both the organization’s internal requirements and the ISO 27001 standard.
  • Record Observations:
    • Document audit findings, noting areas of conformance and any nonconformities.
    • Clearly differentiate between nonconformities related to internal requirements and those related to ISO 27001.
  • Feedback Session:
    • Hold a feedback session with auditees to communicate the audit results.
    • Clearly articulate areas of conformance and nonconformity.
  • Develop Corrective Action Plans:
    • Develop corrective action plans for addressing identified nonconformities.
    • Include actions to improve alignment with both internal requirements and ISO 27001.
  • Verify Corrective Actions:
    • Conduct follow-up audits to verify the effectiveness of corrective actions.
    • Ensure that nonconformities have been adequately addressed.
  • Learn from Audits:
    • Use the insights gained from internal audits to drive continuous improvement.
    • Update internal requirements and processes based on lessons learned.
  • Present Results in Management Review:
    • Present the results of internal audits during management reviews.
    • Discuss the effectiveness of the ISMS in meeting both internal and ISO 27001 requirements.

By aligning the internal audit process with both internal requirements and the ISO 27001 standard, the organization ensures a comprehensive assessment of its ISMS. This approach helps in maintaining conformity with organizational goals and industry standards, fostering a robust and effective information security management framework.

The organization shall conduct ISMS internal audit to provide information on whether the information security management system is effectively implemented and maintained

This statement emphasizes the importance of internal audits in assessing the effectiveness of the Information Security Management System (ISMS). Here’s a guide on how the organization can fulfill this requirement:

  • Establish a Schedule:Develop a schedule for internal audits that aligns with the organization’s objectives, risk assessments, and the importance of ISMS processes.
  • Define Criteria and Scope:Clearly define the audit criteria and scope, ensuring coverage of all relevant aspects of the ISMS.
  • Appoint Competent Auditors:Choose auditors with the necessary skills, knowledge, and competence in audit techniques and ISMS requirements.
  • Ensure Independence:Ensure auditors maintain independence and objectivity during the audit process.
  • Create an Audit Plan:Document the details of the internal audit program, including planned intervals, audit criteria, scope, and methods.
  • Audit Checklist:Develop a checklist or audit plan that includes criteria for assessing the effectiveness of ISMS implementation and maintenance.
  • Review Implementation Documents:Review documents related to the implementation of the ISMS, such as policies, procedures, and control measures.
  • Understanding Maintenance Processes:Understand how the organization maintains and updates the ISMS to address changing circumstances and risks.
  • Systematic Auditing Process:Conduct audits using a systematic process, including interviews, document reviews, and observations.
  • Evaluate Effectiveness:Assess whether the ISMS is effectively implemented and maintained according to the established criteria.
  • Record Observations:Document findings, noting areas where the ISMS is effectively implemented and maintained and identifying any nonconformities.
  • Feedback Session:Communicate audit results to relevant stakeholders through a feedback session.Provide clear information on areas of effectiveness and any identified shortcomings.
  • Develop Corrective Action Plans:For any identified nonconformities or areas of improvement, develop corrective action plans.Include actions to enhance the effectiveness of ISMS implementation and maintenance.
  • Verify Corrective Actions:Conduct follow-up audits to verify the effectiveness of corrective actions. Ensure that actions taken have addressed identified non-conformities.
  • Learn from Audits:Use insights from internal audits to drive continuous improvement.Implement changes to enhance the overall effectiveness of the ISMS.
  • Present Results in Management Review:Present the results of internal audits during management reviews.Discuss the effectiveness of ISMS implementation and maintenance.

By conducting internal audits focused on the effective implementation and maintenance of the ISMS, the organization ensures that its information security practices are not only in place but are also functioning optimally. This approach supports continual improvement and helps meet the objectives of ISO 27001 and the organization’s own information security requirements.

The organization shall plan, establish, implement and maintain an audit programs.

1. Plan the Internal Audit Program:

  • Determine Objectives:
    • Define the objectives of the internal audit program. This could include assessing the effectiveness of the ISMS, ensuring compliance with ISO 27001, identifying areas for improvement, and providing assurance to management.
  • Consider Organizational Context:
    • Take into account the organization’s context, including its size, structure, processes, risk profile, and the nature of its information assets.
  • Audit Criteria and Scope:
    • Clearly define audit criteria and scope. This involves specifying what aspects of the ISMS will be audited and against what criteria.

2. Establish the Internal Audit Program:

  • Create a Schedule:
    • Develop a schedule for internal audits. The schedule should be based on factors such as the organization’s objectives, risk assessments, and the criticality of processes.
  • Frequency and Timing:
    • Determine the frequency of internal audits and the timing of each audit within the schedule.

3. Implement the Internal Audit Program:

  • Select Competent Auditors:
    • Appoint competent auditors with a good understanding of the ISMS and relevant audit techniques.
  • Independence and Objectivity:
    • Ensure that auditors maintain independence and objectivity throughout the audit process.
  • Communication:
    • Communicate the audit schedule and objectives to relevant stakeholders, including auditees.

4. Maintain the Internal Audit Program:

  • Documentation:
    • Document the details of the internal audit program, including the plan, schedule, criteria, and scope.
  • Regular Updates:
    • Regularly review and update the internal audit program to reflect changes in the organization’s context, risk landscape, and information security requirements.

5. Continuous Improvement:

  • Feedback Loop:
    • Establish a feedback loop from audit results to the improvement of the internal audit program itself.
  • Learn from Audits:
    • Use insights gained from internal audits to continuously improve the effectiveness of the ISMS.

6. Management Review:

  • Present Results in Management Review:
    • Present the results of the internal audit program during management reviews.
    • Discuss how the audit program contributes to the overall performance and effectiveness of the ISMS.

Key Points:

  • Systematic Approach:
    • The organization should approach the establishment and implementation of the internal audit program systematically.
  • Risk-Based Approach:
    • Consider a risk-based approach when planning the internal audit program, focusing on areas of higher risk and importance.
  • Adherence to Criteria:
    • Ensure that the internal audit program adheres to defined criteria, including the organization’s objectives, ISO 27001 requirements, and any other relevant criteria.
  • Adaptability:
    • The internal audit program should be adaptable to changes in the organization’s environment and information security landscape.

Audit programs must include the frequency, methods, responsibilities, planning requirements and reporting.

When planning and establishing an audit program, it’s crucial to include key elements such as frequency, methods, responsibilities, planning requirements, and reporting. Here’s a breakdown of each component:

1. Frequency:

  • Determine Audit Cycle:Define how often internal audits will be conducted. This frequency should consider factors such as the organization’s objectives, risk assessments, and the criticality of processes.
  • Consider Critical Processes:
  • Identify critical processes or areas that may require more frequent audits due to higher risks.
  • Alignment with ISO 27001:
  • Ensure that the audit frequency aligns with the requirements of ISO 27001 and any other relevant standards or regulations.

2. Methods:

  • Audit Techniques:Specify the audit methods and techniques that will be employed during the internal audits. This may include interviews, document reviews, observations, and testing.
  • Risk-Based Approach:Consider a risk-based approach when selecting audit methods, focusing more on higher-risk areas.
  • Checklists or Criteria:Develop checklists or audit criteria to guide auditors in assessing compliance and effectiveness.

3. Responsibilities:

  • Appointment of Auditors:Clearly define the responsibilities of auditors, including their selection, training, and appointment for specific audits.
  • Audit Team Composition:Specify the composition of the audit team, considering the expertise required for different aspects of the ISMS.
  • Auditee Responsibilities:Clearly communicate the responsibilities of the auditees, including their cooperation during the audit process.

4. Planning Requirements:

  • Audit Planning Process:Detail the process for planning each internal audit. This includes determining the audit criteria, scope, and objectives.
  • Consideration of Changes:Establish a process for updating the audit plan to reflect changes in the organization’s context, risk landscape, and information security requirements.
  • Resource Allocation:Plan for the allocation of resources, including time, personnel, and any tools or technologies required for the audit.

5. Reporting:

  • Audit Report Structure:Define the structure and format of audit reports. Ensure consistency in reporting across different audits.
  • Clear Communication:Clearly communicate audit findings, including areas of compliance and any identified nonconformities or opportunities for improvement.
  • Timeline for Reporting:Establish timelines for reporting, ensuring that audit results are communicated within a reasonable timeframe after the completion of the audit.

Additional Considerations:

  • Feedback Mechanism:Implement a feedback mechanism to capture insights from auditors and auditees, contributing to the continuous improvement of the audit program.
  • Training and Development:Establish a process for the ongoing training and development of auditors to enhance their skills and knowledge.
  • Corrective Actions:Develop procedures for initiating corrective actions based on audit findings, and ensure that these actions are tracked and implemented.
  • Management Review:Present the overall results of the audit program during management reviews, providing insights into the effectiveness of the ISMS.

By incorporating these elements into the audit program, the organization can ensure a comprehensive and systematic approach to assessing the performance and effectiveness of its Information Security Management System (ISMS). This approach aligns with the requirements of ISO 27001 and promotes continual improvement in information security practices.

When establishing the internal audit program, the organization shall consider the importance of the processes concerned and the results of previous audits.

Considering the importance of processes and the results of previous audits is a crucial aspect of establishing an effective internal audit program, especially in the context of ISO 27001. Let’s break down how the organization can incorporate these considerations:

1. Consideration of the Importance of Processes:

  • Risk-Based Approach:Apply a risk-based approach to identify and prioritize processes for internal audits. This involves assessing the potential impact and likelihood of risks associated with each process.
  • Criticality of Information Assets:Consider the criticality of information assets supported by each process. Processes handling highly sensitive or critical information may require more frequent and thorough audits.
  • Strategic Objectives:Align the audit program with the organization’s strategic objectives. Ensure that audits focus on processes that directly contribute to the achievement of these objectives.
  • Regulatory Compliance:Consider processes that have a significant impact on regulatory compliance. Auditing these processes helps ensure that the organization meets legal and regulatory requirements.

2. Review of Previous Audit Results:

  • Learn from Past Audits:Review the results and findings of previous internal audits. Identify areas that have previously shown nonconformities, weaknesses, or opportunities for improvement.
  • Continuous Improvement:Use insights from previous audits to drive continuous improvement. Determine whether corrective actions from previous audits have been effective and whether there are recurring issues.
  • Focus on High-Risk Areas:If previous audits have identified high-risk areas, prioritize these for future audits. Ensure that the effectiveness of corrective actions is assessed.
  • Feedback Loop:Establish a feedback loop between consecutive audits. Use lessons learned from previous audits to refine the audit program, making it more effective and efficient over time.

Additional Considerations:

  • Frequency Adjustment:Adjust the frequency of audits based on the evolving risk landscape and changes in the organization’s context. High-risk areas may require more frequent audits.
  • Resource Allocation:Allocate resources, including skilled auditors, to areas that are deemed more critical or have a history of nonconformities.
  • Documentation Updates:Update audit documentation, including checklists and criteria, based on the findings and lessons learned from previous audits.
  • Management Involvement:Involve management in the review of previous audit results. Their insights can contribute to a more informed decision-making process.
  • Communication of Changes:Communicate any changes in the audit program based on the results of previous audits. Ensure that stakeholders are aware of adjustments made for improvement.

By considering the importance of processes and reflecting on the results of previous audits, the organization can tailor its internal audit program to address the specific needs and risks associated with its Information Security Management System (ISMS). This approach enhances the effectiveness of the audit program and contributes to the overall success of the organization’s information security efforts.

The organization shall define the audit criteria and scope for each audit.

Defining audit criteria and scope is a fundamental step in the establishment of an effective internal audit program for an Information Security Management System (ISMS). . Here’s how the organization can fulfill this requirement:

1. Audit Criteria:

  • ISO 27001 Requirements:Ensure that the audit criteria align with the requirements specified in ISO 27001. This involves considering each control, policy, procedure, and process outlined in the standard.
  • Organizational Policies and Procedures:Include criteria related to the organization’s internal policies, procedures, and requirements for information security.
  • Legal and Regulatory Requirements: Consider applicable legal and regulatory requirements that the organization must comply with in the context of information security.
  • Best Practices:Incorporate industry best practices and standards related to information security, beyond the requirements of ISO 27001, as part of the audit criteria.

2. Audit Scope:

  • Process Boundaries:Clearly define the scope of each audit by identifying the specific processes, functions, or areas within the organization that will be subject to audit.
  • Risk-Based Approach:Apply a risk-based approach to determine the audit scope. Focus on areas with higher inherent risks and potential impacts on the ISMS.
  • Critical Information Assets:Include processes that handle critical information assets or support critical business functions within the scope of audits.
  • Changes and New Implementations:Consider changes in the organization, such as new systems, processes, or technologies, and ensure that these are included in the audit scope.

3. Criteria for Measurement:

  • Performance Metrics:Define specific criteria for measurement to assess the performance of controls, processes, and the overall ISMS.
  • Effectiveness of Controls:Establish criteria to evaluate the effectiveness of security controls in place and their ability to mitigate identified risks.
  • Compliance Metrics:Include criteria related to compliance with ISO 27001, internal policies, and relevant legal and regulatory requirements.

4. Methodology and Tools:

  • Audit Methodology:Define the methodology that auditors will follow during the audit, including the sequence of activities, types of evidence to be collected, and data analysis methods.
  • Audit Tools:Specify any tools or technologies that will be used to facilitate the audit process, such as audit management software or data analysis tools.

5. Audit Frequency:

  • Determine Frequency:Clearly state how often audits will be conducted. This could be based on a predetermined schedule, risk assessments, or other relevant factors.
  • Consideration of Changes:Consider adjusting the frequency of audits based on changes in the organization’s context, risk landscape, or information security requirements.

6. Communication:

  • Transparent Communication:Communicate the defined audit criteria and scope transparently to relevant stakeholders, including auditors and auditees.
  • Feedback and Clarification:Establish a mechanism for obtaining feedback and clarification from stakeholders on the defined criteria and scope.

7. Documentation:

  • Documented Procedures:Document procedures for defining audit criteria and scope. This documentation serves as a reference point for auditors and ensures consistency.

By clearly defining audit criteria and scope, the organization provides a foundation for meaningful and effective internal audits. This not only helps in ensuring compliance with ISO 27001 but also contributes to the ongoing improvement of the Information Security Management System.

The organization shall select auditors and conduct audits that ensure objectivity and the impartiality of the audit process

Ensuring objectivity and impartiality in the audit process is critical for the effectiveness and credibility of internal audits within an Information Security Management System (ISMS). This requirement aligns with the principles outlined in ISO 19011:2018, which provides guidance on auditing management systems. Here are key steps the organization can take to meet this requirement:

1. Selection of Auditors:

  • Competency Criteria:Define criteria for the competency of auditors. This should include knowledge of information security management, auditing techniques, and relevant industry practices.
  • Independence:Select auditors who demonstrate independence. Auditors should be free from bias and conflicts of interest that could compromise the objectivity of the audit.
  • Training and Qualifications:Ensure that auditors receive appropriate training in auditing techniques and stay informed about changes in information security standards and best practices.
  • Multidisciplinary Skills:Consider a multidisciplinary team of auditors with diverse skills and backgrounds to address the various facets of the ISMS.

2. Conducting Audits with Objectivity:

  • Adherence to Criteria:Instruct auditors to adhere strictly to the audit criteria and scope defined for each audit. This helps maintain objectivity in assessing the ISMS.
  • Avoidance of Bias:Emphasize the importance of avoiding personal biases and preconceptions during the audit. Auditors should base their assessments on evidence and facts.
  • Consistency in Approach:Ensure consistency in the approach taken by auditors. This consistency contributes to the objectivity of the audit process across different audits and auditors.

3. Impartiality in the Audit Process:

  • Conflict of Interest Management:Implement measures to identify and manage conflicts of interest among auditors. This includes disclosing any potential conflicts and taking appropriate actions to address them.
  • Auditor Independence:Reinforce the principle of auditor independence. Auditors should not audit their own work or areas where they have a vested interest.
  • Impartial Decision-Making:Encourage impartial decision-making during the audit process. This involves making objective judgments based on evidence rather than personal preferences.

4. Documentation and Record-Keeping:

  • Documented Procedures:Document procedures for selecting auditors, ensuring their competence, and managing conflicts of interest. This documentation provides transparency and guidance.
  • Audit Records:Maintain comprehensive records of audits, including the selection of auditors, audit plans, findings, and corrective actions. These records serve as evidence of the audit process.

5. Continuous Improvement:

  • Feedback Mechanism:Establish a feedback mechanism for auditors. Regularly gather feedback on their performance, and use this information for continuous improvement.
  • Learning from Audits:Encourage auditors to learn from each audit experience. Use lessons learned to enhance their skills and improve the overall audit process.

6. Communication and Transparency:

  • Communication of Objectives:Clearly communicate the objectives of the audit process to auditors, emphasizing the importance of objectivity and impartiality.
  • Transparency in Results:Promote transparency in communicating audit results. Clearly present findings, conclusions, and recommendations to relevant stakeholders.

By taking these steps, the organization can foster an audit environment that is characterized by objectivity and impartiality. This, in turn, enhances the reliability and value of the internal audit process in assessing the effectiveness of the Information Security Management System.

The organization shall ensure that the results of the audits are reported to relevant management

Reporting the results of internal audits to relevant management is a crucial component of the audit process. This communication ensures that management is informed about the performance of the Information Security Management System (ISMS) and can take appropriate actions for continual improvement. Here’s how the organization can fulfill this requirement:

1. Prepare a Comprehensive Audit Report:

  • Incorporate Key Information:Include key information in the audit report, such as the audit scope, criteria, methodology, audit findings, and conclusions.
  • Objective and Impartial Reporting:Ensure that the audit report is objective and impartial, presenting facts and evidence-based conclusions.
  • Documentation of Results:Clearly document the results of the audit, including areas of compliance, nonconformities, opportunities for improvement, and any noteworthy observations.

2. Timely Communication:

  • Set Reporting Timelines:Establish timelines for the preparation and communication of audit reports. This ensures that relevant management receives timely information.
  • Urgent Matters:In cases where urgent matters or critical issues are identified during the audit, prioritize immediate communication to management.

3. Communication Channels:

  • Direct Communication:Consider direct communication channels to relevant management, such as face-to-face meetings or video conferences, especially for significant findings.
  • Formalized Reporting:Utilize formalized reporting methods, including written reports or presentations, to provide a structured and comprehensive overview.

4. Highlight Areas for Improvement:

  • Opportunities for Improvement:Clearly highlight opportunities for improvement identified during the audit. These can include suggestions for enhancing the effectiveness and efficiency of the ISMS.
  • Risk Mitigation Strategies:Propose risk mitigation strategies for any identified nonconformities or areas where the ISMS may not be fully effective.

5. Follow-Up on Corrective Actions:

  • Corrective Action Plans:Include information on corrective action plans developed in response to previous audit findings. Report on the status of these corrective actions.
  • Verification of Corrective Actions:If applicable, communicate the results of the verification of corrective actions to provide assurance that identified issues have been addressed.

6. Management Review Meetings:

  • Present Results in Management Review Meetings:Incorporate the results of internal audits into regular management review meetings. This ensures that audit findings inform strategic decision-making.
  • Feedback Mechanism:Establish a feedback mechanism during management review meetings for management to provide input on audit results and actions taken.

7. Documentation and Record-Keeping:

  • Document Communication:Maintain documented records of audit communication, including reports, meeting minutes, and any additional documentation shared with management.
  • Evidence of Review:Ensure that there is evidence of management’s review and consideration of audit results within the documented records.

8. Continuous Improvement:

  • Feedback Loop:Establish a feedback loop from management to the audit process. Gather insights on how the audit process can be improved for future assessments.
  • Learning from Results:Encourage management to use audit results as a basis for learning and continuous improvement within the organization.

By following these steps, the organization ensures that the results of internal audits are effectively communicated to relevant management, enabling informed decision-making, continual improvement, and the ongoing effectiveness of the ISMS.

Documented information shall be available as evidence of the implementation of the audit programmes and the audit results.

Documenting information is essential for providing evidence of the implementation of audit programs and the results of audits. This documentation helps in maintaining transparency, accountability, and traceability in the audit process. Here are key aspects to consider:

1. Documented Audit Programs:

  • Audit Plans:Document the details of each audit program, including the audit plan, schedule, criteria, scope, and methodologies.
  • Selection of Auditors:Maintain records of the selection process for auditors, highlighting their competencies and qualifications.
  • Criteria and Scope:Clearly document the audit criteria and scope for each audit, ensuring alignment with organizational and ISO 27001 requirements.

2. Implementation Records:

  • Audit Execution Documentation:Document the actual execution of each audit, including activities performed, evidence collected, and observations made.
  • Audit Logs:Maintain audit logs that capture key information such as dates, participants, and any deviations from the planned audit program.

3. Audit Results Documentation:

  • Audit Reports:Create comprehensive audit reports documenting findings, conclusions, and recommendations. Ensure these reports are objective, impartial, and based on evidence.
  • Nonconformity Reports:Document nonconformities identified during audits, specifying the nature of the nonconformity, its location, and potential impacts.
  • Opportunities for Improvement:Document opportunities for improvement identified during audits, including suggestions for enhancing the ISMS.

4. Corrective Action Records:

  • Corrective Action Plans:Record the development of corrective action plans in response to audit findings. Include details on actions planned, responsible parties, and timelines.
  • Verification of Corrective Actions:Document the verification process for corrective actions, demonstrating that identified issues have been effectively addressed.

5. Communication Records:

  • Meeting Minutes:Document meeting minutes for any communication sessions related to the audit process, such as feedback sessions with auditees and discussions with management.
  • Feedback and Clarification:Keep records of any feedback received and clarifications sought during the audit process.

6. Management Review Documentation:

  • Management Review Records:Document records of management review meetings where audit results are presented, discussed, and used for decision-making.
  • Feedback Mechanism:Capture feedback from management on audit results and the effectiveness of corrective actions.

7. Document Control:

  • Version Control:Implement a version control system to manage updates and revisions to audit program documents, reports, and other related documentation.
  • Access Control:Ensure that access to audit documentation is controlled, limiting it to authorized personnel to maintain confidentiality and integrity.

8. Retention and Archiving:

  • Retention Periods:Define retention periods for audit documentation, ensuring that records are kept for an appropriate duration based on legal, regulatory, and organizational requirements.
  • Archiving Process:Establish a process for the systematic archiving of audit documentation to facilitate retrieval and future reference.

9. Continuous Improvement Documentation:

  • Feedback Loop Records:Document any adjustments made to the audit program based on feedback received, contributing to the continuous improvement of the audit process.

By systematically documenting information related to audit programs and results, the organization creates a reliable and traceable record of its audit activities. This not only ensures compliance with ISO 27001 requirements but also supports transparency, accountability, and the overall effectiveness of the Information Security Management System.

Procedure for ISMS Internal Audit

1.0 Purpose: The purpose of this procedure is to establish a systematic process for planning, conducting, and reporting internal audits of the Information Security Management System (ISMS) in accordance with the requirements of ISO 27001:2013.

2.0 Scope: This procedure applies to all internal audits conducted to assess the effectiveness and conformity of the organization’s ISMS.

3.0 Responsibilities:

  • Management Representative: Responsible for overall coordination and management of the internal audit process.
  • Internal Auditor(s): Competent individuals appointed to conduct internal audits.
  • Department Heads and Process Owners: Provide necessary cooperation and access to information during internal audits.

Procedure Steps:

4.0 Audit Planning:

4.1 Selection of Auditors:

  • Identify and appoint competent internal auditors based on their knowledge of information security management and auditing techniques.

4.2 Audit Criteria and Scope:

  • Define the audit criteria, including ISO 27001 requirements, organizational policies, and relevant legal and regulatory requirements.
  • Clearly define the scope of the audit, specifying the processes and areas to be audited.

4.3 Audit Frequency:

  • Determine the frequency of internal audits based on the organization’s objectives, risk assessments, and the criticality of processes.

5.0 Audit Preparation:

5.1 Document Review:

  • Review relevant documentation, including ISMS policies, procedures, risk assessments, and previous audit reports.

5.2 Audit Checklist:

  • Develop an audit checklist or plan that includes specific audit criteria and areas to be assessed.

6.0 Conducting the Audit:

6.1 Entrance Meeting:

  • Conduct an entrance meeting to communicate the purpose, scope, and objectives of the audit to the auditee.

6.2 Information Gathering:

  • Collect evidence through interviews, document reviews, and observations to assess the conformance and effectiveness of the ISMS.

6.3 Nonconformity Identification:

  • Identify and document any nonconformities observed during the audit, including the nature of the nonconformity and its location.

7.0 Reporting:

7.1 Audit Report:

  • Prepare a comprehensive audit report that includes audit findings, areas of conformity, nonconformities, and opportunities for improvement.
  • Include a summary of evidence, conclusions, and recommendations for corrective actions.

7.2 Communication:

  • Communicate the audit results to relevant management, emphasizing areas of improvement and corrective actions required.

8.0 Corrective Actions:

8.1 Corrective Action Plans:

  • Develop corrective action plans for addressing identified nonconformities.
  • Include responsibilities, timelines, and measures to prevent recurrence.

8.2 Verification of Corrective Actions:

  • Verify the effectiveness of corrective actions through follow-up audits or reviews.

9.0 Records and Documentation:

9.1 Documented Records:

  • Maintain documented records of the entire audit process, including audit plans, checklists, reports, and corrective action documentation.

9.2 Archiving:

  • Archive audit records according to established retention periods and document control procedures.

10.0 Continuous Improvement:

10.1 Feedback Loop:

  • Establish a feedback loop from audit results to the improvement of the internal audit process.
  • Use insights gained from audits to drive continuous improvement in the ISMS.

SMS Internal Audit Program

1.0 Purpose: The purpose of this Internal Audit Program is to systematically assess the effectiveness and conformity of the Information Security Management System (ISMS) in accordance with ISO 27001:2013.

2.0 Scope: This program applies to all internal audits conducted within the organization to evaluate the ISMS.

3.0 Frequency: Internal audits will be conducted annually, with the schedule subject to adjustment based on organizational changes, risk assessments, and management decisions.

4.0 Responsibilities:

  • Management Representative:
    • Overall coordination and management of the internal audit program.
    • Selection and appointment of internal auditors.
  • Internal Auditors:
    • Conduct internal audits based on the defined schedule.
    • Report findings to the Management Representative.
  • Department Heads and Process Owners:
    • Cooperate with auditors, providing necessary access to information and resources.

Audit Criteria

  • ISO 27001 Requirements:
    • Assess adherence to the requirements outlined in ISO 27001.
  • Organizational Policies and Procedures:
    • Evaluate compliance with internal policies and procedures related to information security.
  • Legal and Regulatory Requirements:
    • Verify conformity with relevant legal and regulatory requirements.
  • Best Practices:
    • Consider industry best practices and standards related to information security.

Audit Scope

  • Scope Definition:
    • The scope of each audit will encompass specific processes and areas identified in the audit schedule.
    • High-risk areas and critical information assets will be prioritized.

Audit Methodology

  • Audit Methods:
    • The audit will utilize interviews, document reviews, and observations.
    • Evidence-based assessment will be the foundation of audit conclusions.

Audit Reporting

  • Audit Report:
    • A comprehensive audit report will be prepared for each audit, including findings, conclusions, and recommendations.
    • Nonconformities and opportunities for improvement will be clearly identified.

Corrective Actions

  • Corrective Action Plans:
    • For identified nonconformities, corrective action plans will be developed, specifying responsibilities and timelines.
    • Verification of corrective actions will be conducted as part of the follow-up process.

Continuous Improvement

  • Feedback Loop:
    • Insights gained from internal audits will be used to continually improve the Internal Audit Program and the effectiveness of the ISMS.

Review and Update

  • Review Periodicity:
    • The Internal Audit Program will be reviewed annually for relevance and effectiveness.
    • Adjustments will be made based on changes in organizational context and information security risks.

ISMS Audit Schedule

Audit NumberProcess/AreaPlanned DateAuditor(s)
1Access ControlMM/YYYYJohn Doe
2Incident ResponseMM/YYYYJane Smith
3Network SecurityMM/YYYYAlex Johnson
4Data EncryptionMM/YYYYSarah Williams
5Security AwarenessMM/YYYYMichael Anderson
6Physical SecurityMM/YYYYEmily Davis
7Risk ManagementMM/YYYYKevin Thompson
8Business ContinuityMM/YYYYJessica Miller

Notes:

  1. Adjust the audit number, process/area, and auditor(s) based on your organization’s structure and naming conventions.
  2. Include additional processes or areas specific to your ISMS.
  3. Ensure that auditors are assigned based on their competence and knowledge of the audit criteria.

Audit Frequency:

  • Internal audits will be conducted annually, with adjustments based on organizational changes, risk assessments, and management decisions.
  • The schedule may be subject to modification based on emerging risks, changes in the organizational context, or other relevant factors.

Review and Adjustments:

  • Periodically review the audit schedule to ensure its alignment with the organization’s objectives and risk landscape.
  • Adjust the schedule as needed to address emerging information security risks or changes in the organization.

Communication:

  • Communicate the audit schedule to relevant stakeholders, including auditors, auditees, and management.
  • Ensure that all parties are aware of the planned audit dates and can adequately prepare for the audit process.

Documentation:

  • Document the audit schedule as part of the organization’s records.
  • Include the schedule in the ISMS documentation and make it available to those involved in the audit process.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply