866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What are the ISO 27001 Internal Audit Requirements? Blog Feature
RYAN MACKIE

By: RYAN MACKIE

Print/Save as PDF

What are the ISO 27001 Internal Audit Requirements?

ISO Certifications

On the television show Alone, contestants must self-document themselves attempting to survive in harsh terrain. Without established shelter, a consistent food supply, or any other humans in the remote area to help—it’s a heavy lift in every way even for the most seasoned survivalist.

Here in the compliance world, ISO 27001 represents a parallel challenging endeavor with its similar comprehensive approach to information security. You may not be living solely off the land, but implementing a holistic information security management system (ISMS) in order to meet this standard is difficult—particularly where the internal audit requirement is concerned.

If you were to ask a former Alone contestant what was the hardest part of living remotely, different folks might have various answers, but as an ISO Certification Body, we consistently get feedback that the internal audit function is a particularly tricky part of the ISO 27001 standard.

To help you avoid the confusion and difficulties other organizations experience, we’re going to address the complexities of the ISO 27001 internal audit and break them down, including the explicit requirements stated within the standard.

Contestants on Alone may have been on their own in trying to survive a tough gauntlet, but you aren’t—read on so that you can maintain your compliance with these requirements that much more easily.

What is ISO 27001 Clause 9.2?

The trouble with the internal audit is that many organizations go into it thinking that, functionally, it’s just a simple walkthrough of organizationally specific processes and applicable controls; however, they soon realize that the ISO 27001 internal audit is actually more stringent and control-focused than previously believed.

That’s because to successfully meet the ISO 27001 requirements for internal audit, you’ve got to review the framework and all in-scope Annex A controls based on your Statement of Applicability (SOA). As such, implementing Clause 9.2—which is where all the detailed requirements for your internal audit function are located within the standard—can be challenging, especially for smaller organizations.

Why? There are two reasons:

  • The prescriptive nature of the requirements.
  • The need for resources that:
    • Are independent of the development and maintenance of the ISMS; and
    • Possess the requisite competencies to perform the internal audit function.

While we can’t help with finding you resources, we can explain in more detail each of the requirements, which we’ll do now by addressing each subclause of 9.2.

ISO 27001 Clause 9.2 Breakdown

The first two sections we can get through quickly:

  • 2a requires that you conduct internal audits at planned intervals to provide information on whether your ISMS conforms to your own requirements for the ISMS.
  • 2b requires that your internal audit conforms to the requirements of the standard.

 But what does that really mean—“conform to the requirements of the standard?” Let’s take a look at the additional explicit requirements documented within this clause so that you understand exactly how to go about your internal audit.

ISO 27001 Clause 9.2c - Audit Program

 

What The Standard Says to Do: Plan, establish, implement, and maintain an audit program, including the frequency, methods, responsibilities, planning requirements, and reporting.

How to Comply: Your audit program should be documented to include:

  • The frequency and timing of internal audit functions,
  • Methods by which the internal audit will be conducted, and
  • Assignment of responsibilities determining documentation requirements for the planning, performance, and reporting of internal audits.

In recording all this, make sure to consider the importance of the relevant processes and any results of previous audits.

ISO 27001 Clause 9.2d - Audit Criteria and Scope

What The Standard Says to Do: Define the audit criteria and scope for each audit.

How to Comply: While your audit program may also take a higher-level look at your internal audit function as a whole, it may be necessary to document the specifics of each audit that you plan.

With respect to the internal audit of the controls within your SOA, you might opt for a risk-based approach in this due to:

  • Available resources;
  • The need for more a frequent review of controls and processes mitigating higher risks; and
  • Directives by management or ISMS owners.

Each of your periodical internal audits should be accompanied by documentation of the criteria and scope of the audit to ensure objectives are met.

ISO 27001 Clause 9.2e - Auditor Selection and Independence

What The Standard Says: Select auditors to conduct audits that ensure the impartiality of the audit process.

How to Comply: When selecting the audit team that will be responsible for conducting internal audit activities, the independence and impartiality of the members are paramount. Not only should the people you choose take care to ensure they are not auditing functions over which they have operational control or ownership, but impartiality is also especially important when considering the auditors who will be reviewing your ISMS against the standard.

In our experience, that’s one of the more common areas we encounter nonconformities—the internal audit of the ISMS against the standard.

Many times, organizations will select an internal auditor who had an integral role in developing the ISMS or who continues to have a role in decision-making for the maintenance and direction of the ISMS. But if that’s the case—if the internal auditor is auditing work that he/she created, or if the responsibility of initiating or implementing any corrective action falls back to that internal auditor—there may be an issue of independence, so you should take care to avoid this misstep.

ISO 27001 Clause 9.2f - Reporting on Audit Results

What The Standard Says: Report the results of the audit to relevant management.

How to Comply: Once you complete your internal audit, the internal auditor has a responsibility to ensure the results are reported to appropriate management. These results should be communicated via the management review that occurs on at least an annual basis.

Once your internal audit program is created, approved, and tested, and you establish this review cadence, your process should mature and improve over the following years.

ISO 27001 Clause 9.2g - Audit Program and Record Retention

What The Standard Says: Retain and document information as evidence of the audit program and results.

How to Comply: Documenting record retention policies is the responsibility of the ISMS owners and is a requirement of the standard (specifically, clause 7.5.3).

They should retain the planning documentation as well as the records gathered during the internal audit activities to ensure objectives are met. You should also maintain the results of the internal audit as a record of performance and support for the conclusions reached by your internal audit.

Moving Forward with ISO 27001 Certification

Your ISO 27001 internal audit is about validating the effectiveness of your ISMS through substantive testing and reporting of the results. If you can successfully implement the requirements of Clause 9.2, as outlined here, you’ll be more easily able to consistently do this, though you will need support and input from top management.

 

The ISO 27001 internal audit may be one of the toughest hurdles to certification, but now you’re better equipped to “survive” it (even if you may not yet be ready to survive a stint on Alone). To help deconstruct some of ISO 27001’s other complexities and updates, check out our other content to ensure you’re that much more prepared for certification:

 

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.