Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

Starting the Internal Audit Process With ISO 27001

ISO Certifications

An internal audit process should be present within the organization, and is vital to the design and effectiveness of any information security program. The requirements of an internal audit can be referred to in Clause 9.2 within the ISO-27001 standard. The process and time constraints of an internal audit vary based on the size and structure of the company.  Also, a greater sense of detail and effectiveness of an internal audit should be similar across all organizations. Initially, a plethora of clients believe that an internal audit is a simple walkthrough of organizational specific processes and applicable controls; however, the internal audit requires the organization to review the ISO-27001 framework and all in-scope Annex A controls based on the Statement of Applicability (SOA). As a result, the ISO-27001 internal audit happens to be more stringent and control focused than many organizations believe it to be prior to beginning the audit 

Prior to initializing the internal audit, an organization must develop an audit plan that defines the audit scope and criteria. The organization must have knowledge of the audit criteria and scope to understand what the focus of the audit is and what standard is being utilized for the internal audit. Additionally, the audit plan must also contain the frequency of the internal audit and selected auditors and their associated responsibilities. The internal auditors must be selected based on objectivity and impartiality towards the audit process.  

Once the internal audit is completed based on the audit plan that must be approved by top management, the results of the audit must be documented and conform to the ISO-27001 standard. The internal audit results must be communicated to top management via the management review that occurs on at least an annual basis. As a result, once the internal audit program is created, approved, and tested, the process matures over the following years and consistency is valued and appreciated.  

The ISMS internal audit is about management validating the effectiveness of the ISMS and providing substantive testing to report on the effectiveness of the ISMS. An organization that can successfully implement the requirements of Clause 9.2 will be able to consistently and continually evaluate the effectiveness of the ISMS with input from top management to ensure that the ISMS conforms to the organization’s requirements as well as the ISO-27001 standard.  

ISO 27001 Readiness Assessment or Consultant? When to Contract