If you are a fanatic – or less fanatic – reader of our articles, you will probably know the importance of ensuring information security and regulatory compliance by now. Therefore, evaluating performances and managing risks in that area is highly crucial for organisations. Are we making progress towards our compliance goals? Let’s see what’s happening with the Internal Audit.
Is risk being managed effectively? Are policies and procedures being applied correctly, or could they be improved? There is one answer to all of the questions above: The internal audit.
Internal audits are a helpful tool for businesses of all types. It assists an organisation in defining areas where it could improve, while also providing information it needs to accomplish its goals. Someone who is not a compliance officer assigned to a company should usually perform the internal audits. In other words, the internal audit is done independently and objectively, which makes sure that someone can look at all of the documentation and controls with a fresh eye. In this case, this fresh eye is called Compleye. This article will tell you everything you need to know about the way we perform internal audits.
Check, check, double check
Let us take you through the way we internally – see what we did there? – perform internal audits, in order for companies to prepare for ISO 27001 certification. We have established criteria for each chapter and control, since each of the ISO 27001 standards and norms have pre-established criteria. One by one, we check every single document, every single control and everything on how the company does or doesn’t perform.
Spill the beans – Internal Audit
Like a detective uncovering juicy details and a truffle dog finding delights in the forest, once we go through all of these criteria, we identify findings. Afterwards, we investigate these findings and – depending on the gravity and seriousness – they might be classified as non conformities or areas of concern. Non conformance is an audit designation indicating the information security system (or a portion of it) does not meet the requirements established by ISO 27001. In simple words, non conformities mean that your company does not comply. Areas of concern, on the other hand, means that your company does comply, but still needs to improve certain things.
Support and report
Later, we issue our report with all of our findings. These are defined as and divided in non conformities and areas of concern. We send this report to the Management and ISMS team for review and approval. When they approved, we record all of our findings in the improvement section of our platform Compleye Online.
Is the internal audit mandatory?
Let’s keep it short and sweet: yes. The internal audit is a mandatory performance in order to go for the ISO 27001 certification. If you don’t have the internal audit done once per year, you can wave goodbye to getting certified.
Compleye’s Real Time Audit
The internal audit comprises a lot of steps and controls – and with a lot, we mean a lot – and therefore takes quite some time. Wouldn’t it be great if there was something that could make this process a bit easier and faster? What a coincidence! We are busy designing our next step on Compleye Online: the Real Time Audit. This automatises and simplifies certain steps that will come in handy for both the client and the internal auditer. Though, there will always be steps that we will keep doing manually.
To conclude, the main purpose of an internal audit is to prepare a company for the mandatory external audit. We look at every single policy and document, which makes it possible for the company to improve its status quo. You could see it as an additional control. The objective approach makes it able to look at everything from a different perspective so to have someone doing the internal audit that is not directly involved with the company helps. Just see it as the clever checklist to move forward with the certification. Life, sometimes, doesn’t have to be that complicated.