This question is often asked by novices who are dealing with ISO 27001 for the first time.
An internal audit is a self-audit to verify three key points by an expert auditor:
1. are the requirements of the ISO 27001 standard (as amended) met?
2. does the ISMS (information security management system) meet the requirements of the company’s own organization?
3. is the ISMS effectively implemented and maintained?
On the one hand, this requires that the standard requirements are known and actively lived in the organization. Secondly, the requirements of the organization must have been identified. Otherwise, it is not possible to verify that they are being met.
After an Internal Audit, a report is usually written that identifies strengths, weaknesses (including non-conformities, if applicable) and opportunities for optimization. With these findings, the organization can actively live continuous improvement in the next step and continuously strive to improve its processes.
However, the Internal Audit log is not only a source of input for continuous improvement. It is also one of the essential aspects that should be considered during a management review.
As part of this so-called Management Review, the decision-makers and managers of an organization should be regularly informed about opportunities for improvement, relevant changes to the ISMS, and the results of internal audits. The aim is to regularly review and evaluate the effectiveness of the ISMS. The results of Internal Audits are therefore part of every Management Review.
This enables the organization’s leadership to derive and decide on changes. This also includes investments or training. The Management Review is thus an essential part of lived responsibility for the organization and its information security. Managers and decision-makers are required to actively deal with the ISMS and to make all decisions relevant to information security.
Besides: The term “Internal Audit” explicitly does not mean that an organization must perform such a check itself or through its own personnel.
In fact, it is often the case that organizations have no or insufficient competencies and personnel to perform the checks themselves. Often, the competent persons within the organization are or have been involved with the establishment and operation of the ISMS. Consequently, they would be biased because they would be auditing their own work – and thus the are not suitable as internal auditors because of the required segregation of duties. In such cases, companies can, may and should call on external help.
We at TEN Information Management GmbH regularly perform such internal audits for small and large institutions. All our auditors have many years of experience and the necessary intuition to be able to carry out these investigations. So feel free to contact us!