One of the core functions of an information security management system (ISMS) is a periodic and independent internal audit of the ISMS against the requirements of the ISO IEC 27001:2013 (ISO 27001) standard. This function, as required by clause 9.2 of the ISO 27001 standard, is commonly the most challenging function to implement in a way that meets each of the requirements set forth in the standard, especially for smaller organizations. This is due to its prescriptive nature, and the need for resources that are both independent of the development and maintenance of the ISMS and possess the requisite competencies to perform the internal audit function. Below, we take a look at the clause and its individual requirements.
Clause 9.2 of the ISO 27001 standard requires that the organization shall conduct internal audits at planned intervals to provide information on whether the ISMS both conforms to organization’s own requirements for its ISMS (9.2a) as well as conforms to the requirements of the standard (9.2b). There are additional explicit requirements documented within this clause, detailed below.
Audit Program (9.2c)
The audit program should be documented to include the frequency and timing of internal audit functions, methods by which the internal audit will be conducted, and assignment of responsibilities for the planning, performance, and reporting of internal audit results.
Audit Criteria and Scope (9.2d)
While the audit program may take a higher level look at the internal audit function as a whole, it may be necessary to document the specifics of each audit that is planned. With respect to the internal audit of the controls within an organization’s statement of applicability, a risk based approach may be desired due to available resources, the need for more frequent review of controls mitigating higher risks, and directives by management or ISMS owners. Each periodic audit should be accompanied by the documentation of the criteria and scope of the audit to ensure objectives are met.
Auditor Selection and Independence (9.2e)
When selecting the audit team that will be responsible for conducting internal audit activities, it is paramount to consider the independence and impartiality of the members. Those responsible for conducting the audit should take care to ensure they are not auditing functions over which they have operational control or ownership. This is especially important when considering the auditors who will be reviewing the ISMS against the standard. One of the most common issues of nonconformity external auditors encounter is in the area of the internal audit of the ISMS against the standard, where the internal auditor selected had an integral role in developing the ISMS or continues to have a role in decision making for the maintenance and direction of the ISMS. If the internal auditor is auditing work that he/she created, or if the responsibility of initiating or implementing any corrective action falls back to that internal auditor, there may be an issue of independence.
Reporting on Audit Results (9.2f)
Once an internal audit has been conducted, the internal auditor has a responsibility to ensure the results are reported to appropriate management. Clause 9.3 includes a requirement that the periodic management review of the ISMS includes a review of, among other inputs, the results of the last internal audit. Identifying reporting and communication channels is the responsibility of the ISMS owners and is a requirement of the standard, specifically clause 7.4.
Audit Program and Record Retention (9.2g)
The planning documentation, as well as the records gathered during the internal audit activities, should be retained by the organization to ensure objectives are met. The results of the internal audit should also be maintained as a record of performance and support for the conclusions reached by the internal audit function. Documenting record retention policies is the responsibility of the ISMS owners and is a requirement of the standard, specifically clause 7.5.3.
The keys to an effective certification review, as well as the internal audit function, are a thorough understanding of the standard, effective planning, and clear and concise documentation. Also, a successful and well-operated ISMS, beyond the certification, requires acceptance and participation by all of those involved and under the direction of the system, form top management to staff level personnel.