An ISO 27001 internal audit checklist is a handy tool to make sure you tick all of the internal audit boxes. We’re providing you with your very own ISO 27001 internal audit checklist template, as well as some very useful information on the ISO 27001 internal audit process.
What is an ISO 27001 internal audit?
You might assume an internal audit is a bit like a test run for the ultimate test – the external audit – but that’s not entirely accurate. In their article “ISO 27001 Certification Audits Versus Internal ISMS Audits: The Difference is Important”, Pivot Point Security outline the difference succinctly:
“Put simply, the ISMS internal audit is about management validating the effectiveness of the ISMS whereas the certification audit is about the auditor validating that your ISMS is compliant with the standard.”
That sums it up nicely. Essentially, the ISO 27001 internal audit is an intensive process that addresses Clause 9.2. of the ISO 27001 standard’s requirements. Clause 9.2 requires you to conduct regular internal audits to check that your ISMS and Annex A information security controls are in place and operating as expected and required.
Is internal audit mandatory for ISO 27001?
To obtain your ISO 27001 certification, an internal audit is, indeed, mandatory. Without it, you won’t be able to move on to the next step of your certification process and ultimately, your external audit. You also won’t be able to identify non-conformities and implement improvements.
And since (in the words of ISO themselves) “ISO standards are internationally agreed by experts. Think of them as a formula that describes the best way of doing something,” you want to make sure you do your certification in the best way, too. That means following the required processes, step by (detailed) step. If you do that, you’re bound to be one of the many ISO 27001 success stories.
In addition to conducting an ISO 27001 internal audit because it’s mandatory to do so in order to obtain your certification, once you have your ISO 27001 certificate, you can’t just wave goodbye to the internal audit process. Regular audits are necessary to ensure your ISMS continues to meet ISO 27001 requirements.
Maintaining your ISMS isn’t the only reason to conduct regular audits, though. With regular audits you can uncover non-conformities on time, keep a strong security system in place, and ensure continual improvement.
Can you fail an ISO 27001 audit?
Although you might get many non-conformities or suggestions for improvements during your ISO 27001 internal audit, you cannot actually fail it. Still, it’s vital to plan for your internal audit. Naturally, an ISO 27001 internal audit template will help you to ensure that you cover all necessary evidence.
In our article ISO 27001 Non-Conformance Examples: Both Major and Minor, we talk about non-conformities that could contribute to your organisation not attaining ISO 27001 certification. Of course, before you get to the point of external audit, you first need to tick the internal audit box. There are a number of reasons you might not do well on your ISO 27001 internal audit.
Let’s look at 5 of the major causes for non-conformity:
1. Missing mandatory documentation
The sheer volume of documentation required for ISO 27001 is one of the reasons organisations shy away from the process. But with today’s online tools and automated platforms, keeping track of and organising documentation has become simpler and easier than ever before.
At the click of a button, you can now see what evidence you have. Your auditor will have access to a list of documentation they’ll want you to have at your fingertips. Although there isn’t an official list of mandatory documents, there are certain documents that your auditor is likely to request.
These include:
- Scope of the ISMS
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Statement of Applicability
- Risk treatment plan
- Risk assessment report
- Definition of security roles and responsibilities
- Inventory of assets
- Acceptable use of assets
- Access control policy
- Operating procedures for IT management
- Secure system engineering principles
- Supplier security policy
- Incident management procedure
- Business continuity procedures
- Statutory, regulatory, and contractual requirements
2. Failing to follow procedures
Now, we aren’t talking about a list of procedures someone else has provided. We’re talking about your own procedures, policies and processes which will be defined in your ISMS.
Not only will you need to be following all of your policies, procedures and processes, but your staff must also have been apprised of them through training.
You need to make sure your policies and procedures are documented and be able to locate the documentation easily.
3. ISMS that doesn’t sufficiently define external and internal issues affecting your organisation’s purpose
Internal issues are any factors that fall under the control of your organisation and include:
- Organisational structure
- Available resources
- Organisational drivers
- Organisational operations
External issues are factors outside your company that might hinder your success. Although you can’t control external factors, you can adapt to them. Some examples of external factors are:
- Market and customers trends
- Perceptions and values of external interested parties
- Applicable laws and regulations
- Political and economic conditions
- Technological trends and innovations
4. Failure of top management to demonstrate their commitment to ISMS implementation
Top management should demonstrate leadership and commitment with respect to the ISMS by:
- Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation
- Ensuring the integration of the information security management system requirements into the organisation’s processes
- Ensuring that the resources needed for the information security management system are available
- Communicating the importance of effective information security management and of conforming to the information security management system requirements
- Ensuring that the information security management system achieves its intended outcomes
- Directing and supporting persons to contribute to the effectiveness of the information security management system
- Promoting continual improvement
5. Failure to assign roles and responsibilities for information security
Information security and ISMS management are different. Everyone is responsible for information security. It’s an organisation-wide initiative.
Five typical roles and responsibilities you might want to assign are:
- Security Leadership
- Security Risk Management
- Internal Audit
- Control Owners
- All Employee training
Costs of an ISO 27001 audit
According to Drata, “The cost of an ISO 27001 internal audit for a small to medium size company will cost $5,000 to $15,000.” That’s € 4,676.80 to € 14,030.40.
Luckily, there are companies that cater specifically to start-ups: Compleye charges in the region of €1,750 (approx 2 days work, including investigation meeting) for instance.
Preparing an ISO audit checklist
Preparing your checklist is an important step in ensuring you’re ready for your audit. The checklist is used by your auditor to assess whether your ISMS meets the requirements of ISO 27001. To prepare your checklist:
- Review the ISO 27001 documentation
- Identify key processes and procedures
- Assess whether you’ve documented your ISMS in line with the standard.
Once you’ve identified the requirements, you can develop a checklist to guide the audit process. The checklist should be clear and concise, and include detailed questions to help auditors assess your organisation’s compliance.
By preparing a comprehensive and well-structured ISO audit checklist, you demonstrate your commitment to quality management and ensure a smooth audit process.
A high level ISO 27001 internal audit checklist & ISO 27001 internal audit checklist template
A complete (free) checklist can be downloaded here, but to give you an idea of what your checklist should cover, we’ve provided a high-level ISO 27001 internal audit checklist below.
- Management Responsibility: ISMS policy and objectives, implementation and management review
- Asset Management: Asset identification and classification, asset protection process
- Human Resources Security: Personnel security policies, employee background check and termination process
- Physical and Environmental Security: Physical access controls and environmental threat protection
- Communications and Operations Management: Data backup and disaster recovery, operational software and systems control
- Access Control: User access controls and password management, network resources access control
- Information Systems Acquisition, Development and Maintenance: Software development life cycle policies, information systems changes management
- Information Security Incident Management: Incident reporting, security incident response
- Business Continuity Management: Disaster recovery and business continuity plans, business continuity plan testing and maintenance
- Compliance: Legal and regulatory requirement compliance, ongoing compliance monitoring and assurance
The Future of Internal Audit Checks
The great news is that the future of ISO 27001 internal audit is real-time audit where evidence checks will be 80% automated and 20% manual. Compleye Online has already taken a huge step towards automating your compliance certification and we invite you to check out our free demo here.
