Written by: Narendra Sahoo
ISO 27001 is a comprehensive international standard on information security management. Organizations trying to achieve ISO 27001 Certification for the very first time may find this to be a challenging task. Organizations that have developed a management system for information security will need to implement Internal Audits on a regular basis to ensure conformity to the standard. In this article, we will detail a 5-step method for the success of your internal audits.
Scope & Risk Assessment
Before you can begin, you first must determine the scope of your audit, i.e., the focus and identify which areas are of higher priority and need to be audited more frequently, and which areas are of lower priority or risk and can be audited less frequently. All areas affected by the standard must be included in an audit eventually, however not all areas need to be audited at the same frequency. This is called a risk assessment. You are required to conduct a risk-based assessment to determine the areas of higher risk for the audit. For this, your team/consultant will need to understand the business operations, controls, and systems from you and accordingly define the scope as applicable.
An experienced auditor/consultant will understand which areas in your business are of high risk or priority; if you are unsure, consulting an expert is never a bad idea! Looking for experts? Check out [link to consultants]
?It is important that your organization’s audit scope is in alignment with the ISMS policy. This is the first thing that an auditor will check and sets the stage for the remainder of the audit.?
Once you have identified areas in your processes that fall in scope for your internal audit, you will need to prioritize your resources and prepare for the audit.
After you have completed determining the scope of your audits and conducted necessary risk assessment you should begin reviewing the documents of the organization concerning the administrative and business operations that are in place.
Documents reviewed at this stage of the audit would be concerning the scope of your management system, policies, procedures, and processes, documents required by the standard, and other necessary documents deemed necessary by the organizations for effectively maintaining the management system. Documents reviewed here should also be within the scope of the audit as covered in step 1. Documents should also be reviewed using a sampling method, as depending on the size of your organization and the vastness of your documentation a full audit into all documentation may not be possible.
Here the auditor does a high-level review of your documents supporting the management systems, processes and establishes whether the internal audit is in place. Reviewing the documents is an essential stage to plan and prepare for the upcoming audit process. The analysis of the documents will allow specific frameworks to be set that may be required during the internal audit process. Moreover, the documentation review helps verify whether the established documents are in alignment with the requirements of the standard.
Once the audit scope is defined and the documents are thoroughly reviewed the next stage would include performing an onsite audit to gather evidence and identify gaps in the management systems and processes.
This is an evidence-gathering process that includes interviewing employees, managers, and other stakeholders of your organization associated with the ISMS. The onsite audit determines if your organization has met minimum requirements of the standard and is ready for the ISO 27001 certification audit.
An onsite audit includes observing the established practices in your organization, interviewing staff and verifying processes and their effectiveness. Records are reviewed, evidence is collected, and a full audit report is created detailing the gaps identified, areas of nonconformity, and possible improvements in the management system.
After the onsite audit has concluded evidence collected is analysed and sorted to classify the risks identified during the audit process. The audit analysis helps identify gaps against the base criteria and requirements of ISO 27001 Standard. The auditors compile these results, reveal the gaps in enforcement, and may further identify areas of ISMS that require additional testing.
Audit Reporting is the final stage of the assessment process. Here the auditor presents the findings of their audit. The internal audit report should be a detailed document comprising the scope, objective, high-level analysis, and key findings. The report will also include recommendations and corrective actions needed. The audit report should be presented and discussed with management for a further plan of action.
ISO Audits are extensive and require time and resources invested successfully achieve ISO 27001 Certification. Organizations need to prepare before taking the final plunge. Systematically following the above-mentioned audit process will not just ease the journey but also help ensure your organization meets the standard requirements and achieves ISO 27001 Certification. Understand that like anything in business, the participation of top management in internal audits is critical. Top management ensures company-wide buy-in for developing effective audit plans, defining roles and responsibilities, and ensuring the enforcement of policies, procedures, and processes.
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA
InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.