What are the ISO 27001 Internal Audit Requirements?

On the television show Alone, contestants must self-document themselves attempting to survive in harsh terrain. Without established shelter, a consistent food supply, or any other humans in the remote area to help—it’s a heavy lift in every way even for the most seasoned survivalist.

Here in the compliance world, ISO 27001 represents a parallel challenging endeavor with its similar comprehensive approach to information security. You may not be living solely off the land, but implementing a holistic information security management system (ISMS) in order to meet this standard is difficult—particularly where the internal audit requirement is concerned.

If you were to ask a former Alone contestant what was the hardest part of living remotely, different folks might have various answers, but as an ISO Certification Body, we consistently get feedback that the internal audit function is a particularly tricky part of the ISO 27001 standard.

To help you avoid the confusion and difficulties other organizations experience, we’re going to address the complexities of the ISO 27001 internal audit and break them down, including the explicit requirements stated within the standard.

Contestants on Alone may have been on their own in trying to survive a tough gauntlet, but you aren’t—read on so that you can maintain your compliance with these requirements that much more easily.

What is ISO 27001 Clause 9.2?

The trouble with the internal audit is that many organizations go into it thinking that, functionally, it’s just a simple walkthrough of organizationally specific processes and applicable controls; however, they soon realize that the ISO 27001 internal audit is actually more stringent and control-focused than previously believed.

That’s because to successfully meet the ISO 27001 requirements for internal audit, you’ve got to review the framework and all in-scope Annex A controls based on your Statement of Applicability (SOA). As such, implementing Clause 9.2—which is where all the detailed requirements for your internal audit function are located within the standard—can be challenging, especially for smaller organizations.

Why? There are two reasons:

  • The prescriptive nature of the requirements.
  • The need for resources that:
    • Are independent of the development and maintenance of the ISMS; and
    • Possess the requisite competencies to perform the internal audit function.

While we can’t help with finding you resources, we can explain in more detail each of the requirements, which we’ll do now by addressing each subclause of 9.2.

ISO 27001 Clause 9.2 Breakdown

The first two sections we can get through quickly:

  • 9.2a requires that you conduct internal audits at planned intervals to provide information on whether your ISMS conforms to your own requirements for the ISMS.
  • 9.2b requires that your internal audit conforms to the requirements of the standard.

 But what does that really mean—“conform to the requirements of the standard?” Let’s take a look at the additional explicit requirements documented within this clause so that you understand exactly how to go about your internal audit.

ISO 27001 Clause 9.2c - Audit Program

What The Standard Says to Do: Plan, establish, implement, and maintain an audit program, including the frequency, methods, responsibilities, planning requirements, and reporting.

How to Comply: Your audit program should be documented to include:

  • The frequency and timing of internal audit functions,
  • Methods by which the internal audit will be conducted, and
  • Assignment of responsibilities determining documentation requirements for the planning, performance, and reporting of internal audits.

In recording all this, make sure to consider the importance of the relevant processes and any results of previous audits.

ISO 27001 Clause 9.2d - Audit Criteria and Scope

What The Standard Says to Do: Define the audit criteria and scope for each audit.

How to Comply: While your audit program may also take a higher-level look at your internal audit function as a whole, it may be necessary to document the specifics of each audit that you plan.

With respect to the internal audit of the controls within your SOA, you might opt for a risk-based approach in this due to:

  • Available resources;
  • The need for more a frequent review of controls and processes mitigating higher risks; and
  • Directives by management or ISMS owners.

Each of your periodical internal audits should be accompanied by documentation of the criteria and scope of the audit to ensure objectives are met.

ISO 27001 Clause 9.2e - Auditor Selection and Independence

What The Standard Says: Select auditors to conduct audits that ensure the impartiality of the audit process.

How to Comply: When selecting the audit team that will be responsible for conducting internal audit activities, the independence and impartiality of the members are paramount. Not only should the people you choose take care to ensure they are not auditing functions over which they have operational control or ownership, but impartiality is also especially important when considering the auditors who will be reviewing your ISMS against the standard.

In our experience, that’s one of the more common areas we encounter nonconformities—the internal audit of the ISMS against the standard.

Many times, organizations will select an internal auditor who had an integral role in developing the ISMS or who continues to have a role in decision-making for the maintenance and direction of the ISMS. But if that’s the case—if the internal auditor is auditing work that he/she created, or if the responsibility of initiating or implementing any corrective action falls back to that internal auditor—there may be an issue of independence, so you should take care to avoid this misstep.

ISO 27001 Clause 9.2f - Reporting on Audit Results

What The Standard Says: Report the results of the audit to relevant management.

How to Comply: Once you complete your internal audit, the internal auditor has a responsibility to ensure the results are reported to appropriate management. These results should be communicated via the management review that occurs on at least an annual basis.

Once your internal audit program is created, approved, and tested, and you establish this review cadence, your process should mature and improve over the following years.

ISO 27001 Clause 9.2g - Audit Program and Record Retention

What The Standard Says: Retain and document information as evidence of the audit program and results.

How to Comply: Documenting record retention policies is the responsibility of the ISMS owners and is a requirement of the standard (specifically, clause 7.5.3).

They should retain the planning documentation as well as the records gathered during the internal audit activities to ensure objectives are met. You should also maintain the results of the internal audit as a record of performance and support for the conclusions reached by your internal audit.

Moving Forward with ISO 27001 Certification

Your ISO 27001 internal audit is about validating the effectiveness of your ISMS through substantive testing and reporting of the results. If you can successfully implement the requirements of Clause 9.2, as outlined here, you’ll be more easily able to consistently do this, though you will need support and input from top management.

The ISO 27001 internal audit may be one of the toughest hurdles to certification, but now you’re better equipped to “survive” it (even if you may not yet be ready to survive a stint on Alone). To help deconstruct some of ISO 27001’s other complexities and updates, check out our other content to ensure you’re that much more prepared for certification:

About the Author

Ryan Mackie

Ryan Mackie is a Principal at Schellman & Company, LLC, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

More Content by Ryan Mackie
Previous Article
ISO 27001: Role of Top Management and Its Importance
ISO 27001: Role of Top Management and Its Importance

Involvement from top management is critical to the design and effectiveness of any information security pro...

Next Article
ISO/IEC 27001:2013 Initial Certification – What Do I Need To Know?
ISO/IEC 27001:2013 Initial Certification – What Do I Need To Know?

When it comes to undergoing an ISO/IEC 27001:2013 (ISO 27001) certification audit, the initial certificatio...