ISO 27001 - Internal Audit

No. The term “internal audit” is the term for the organisation’s self-audit of the ISMS. It does not suggest that the audit action must be carried out by a member of that organisation. A competent third party (such as the experienced experts of TEN Information Management GmbH) can also be commissioned.

The subject of an internal audit according to ISO 27001:2022 section 9.2.1 is the conformity of the processes with the organisation’s own objectives, with the requirements of the standard – as well as the question of whether the ISMS is implemented effectively. Efficiency (i.e. with which resources this is done), on the other hand, is not the subject of the audit.

The auditor will first ask the organisation to be audited about the focal points to be audited; the internal audit programme will help here. If such a programme does not exist, the auditor will help to determine the focal points. The auditor then draws up an audit plan, which is sent to the organisation to be audited in good time before the audit. On the basis of this plan, the audit is then carried out either on site or via an online session. You will receive a report on the results, which you can use to remedy any weaknesses and to prove to the certification body that the internal audit was carried out.

The audit plan is the document that sets the agenda for the internal audit. For the points listed there, it should be considered in advance how and on the basis of which documents (e.g. standard documents, records) the evidence of implementation should be provided. It is important to understand the internal auditor as a source for improvement measures. An internal audit is always about learning what needs to be adjusted before the certification audit.

An audit report is prepared on the results of the internal audit, which can be used to remedy any weaknesses and to prove to the certification body that the internal audit was carried out.

Depending on the size of the organisation, a duration of between two and four person days (including preparation and follow-up) should be expected.

Decisive factors are the number of employees in the ISMS scope and the number of locations.

None. The only requirement is that the aspects mentioned in chapter 9.2.1 of the standard must be covered. However, in their own interest, audited organisations should make sure that the auditor has the relevant experience.

The choice of language is optional. In particular, the language of the internal audit does not have to be the same as that in which the ISMS documentation is written. In practice, for example, it often happens that the ISMS is documented in English, but the working language and also the documentation language for the internal audit is German.

Not necessarily. In principle, a remote audit is possible, although an on-site audit can be advantageous, especially for aspects of physical security.

The internal audit is the organisation’s self-audit with regard to the topics of conformity of the ISMS to the specifications of the standard, to the organisation’s own objectives and the verification of effective implementation. The need for self-auditing is a direct requirement of the standard (standard section 9.2.1). In an official certification audit, the same points are checked – but by the auditor of the certification body. In this context, he or she must also check whether the organisation has carried out an internal audit.

Yes. Usually an audit plan is drawn up in advance, which forms the basis for the audit action.

The audited organisation itself. It should have an internal audit programme. When defining such a programme, it should be noted that all standard requirements are audited at least once within an audit cycle.

The assessment is based on the same standards as in an “official” certification audit. OFIs (Opportunities for improvement) are opportunities for improvement that are recommended for implementation. Minor non-conformities (often also: NC1) are so-called secondary non-conformities, i.e. a standard requirement is not fulfilled, but this circumstance does not affect the effectiveness of the ISMS as a whole. Major non-conformities (also referred to as NC2) are so-called major non-conformities, the implication of which is serious.

No. The internal audit serves more as a stocktaking of the ISMS and provides valuable information that should be implemented before the final certification audit.

Basically, each normative minimum requirement should be audited at least once within a certification cycle. We generally recommend that in the first year (i.e. before the first certification audit) all normative minimum requirements are checked within the framework of the internal audit.

The Internal Audit Programme defines the audits and contents to be carried out in the annual cycle. Internal audits are part of the regular reviews to be carried out.

At least annually, i.e. once a year – although more than one audit per year is possible.

The requirement results from the standard requirement 9.2.1. Organisations claiming conformity with the standard must implement all normative minimum requirements from the standard chapters 4-10 – including 9.2.1, which prescribes the performance of an internal audit.

Yes!

The selected person should be neutral and unbiased and have appropriate professional competence, i.e. auditor training (e.g. as a CISA – Certified Information Systems Auditor) together with appropriate professional experience and, if necessary, industry experience. Knowledge of ISO 19011, a recommendation for auditing management systems, is also helpful.

If possible, the selected person should “fit” the audited organisation, i.e. have the appropriate professional and social competence. In our experience, it is also helpful if the auditor has experience in auditing organisations of similar size and focus.

The results of the internal audit should be acknowledged and appropriate conclusions drawn as part of the management review. It is also advisable to derive appropriate action lines from the results of the internal audit in order to further improve the ISMS – before the certification audit is due.

The person will not be neutral and objective enough to evaluate the ISMS. He/she would be assessing his/her own work, which would be a violation of the principle of segregation of duty. For this reason, an internal audit should be carried out by a person who has not been involved in the implementation of the ISMS.

In an internal audit, the conformity of the ISMS with the standard, with its own objectives as well as the effective implementation is checked in detail. The management assessment takes place at a higher level of detail. Within the framework of the management assessment, the results of the internal audit are evaluated and appropriate conclusions are drawn. Also, the circle of responsible persons is different: in an internal audit, an auditor conducts a review, whereas in a management review, the organisation’s top management appreciates the results from the internal audit (and other issues).