An internal audit process should be present within the organization, and is vital to the design and effectiveness of any information security program. The requirements of an internal audit can be referred to in Clause 9.2 within the ISO-27001 standard. The process and time constraints of an internal audit vary based on the size and structure of the company. Also, a greater sense of detail and effectiveness of an internal audit should be similar across all organizations. Initially, a plethora of clients believe that an internal audit is a simple walkthrough of organizational specific processes and applicable controls; however, the internal audit requires the organization to review the ISO-27001 framework and all in-scope Annex A controls based on the Statement of Applicability (SOA). As a result, the ISO-27001 internal audit happens to be more stringent and control focused than many organizations believe it to be prior to beginning the audit.
Prior to initializing the internal audit, an organization must develop an audit plan that defines the audit scope and criteria. The organization must have knowledge of the audit criteria and scope to understand what the focus of the audit is and what standard is being utilized for the internal audit. Additionally, the audit plan must also contain the frequency of the internal audit and selected auditors and their associated responsibilities. The internal auditors must be selected based on objectivity and impartiality towards the audit process.
Once the internal audit is completed based on the audit plan that must be approved by top management, the results of the audit must be documented and conform to the ISO-27001 standard. The internal audit results must be communicated to top management via the management review that occurs on at least an annual basis. As a result, once the internal audit program is created, approved, and tested, the process matures over the following years and consistency is valued and appreciated.
The ISMS internal audit is about management validating the effectiveness of the ISMS and providing substantive testing to report on the effectiveness of the ISMS. An organization that can successfully implement the requirements of Clause 9.2 will be able to consistently and continually evaluate the effectiveness of the ISMS with input from top management to ensure that the ISMS conforms to the organization’s requirements as well as the ISO-27001 standard.