Overview: ISO 27001 Requirement 9.2
- Introduction
- What is an ISO 27001 Internal Audit?
- Why are ISO 27001 Internal Audits Important?
- Does ISO 27001 require an internal audit?
- What are ISO 27001 internal audit requirements?
- Where is an internal audit mandatory?
- How to plan and conduct an ISO 27001 internal audit
- What to look for during an ISO 27001 internal audit
- How to report on the findings of an ISO 27001 internal audit
ISO 27001 is an international standard that provides a framework for managing information security risks. It is used by organisations of all sizes and industries to protect their sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction.
One of the key requirements to obtain an ISO 27001 certification is to conduct regular internal audits of the information security management system (ISMS). Internal audits help organisations to identify and address any weaknesses in their ISMS and to ensure that it is operating effectively.
This article provides a comprehensive guide to ISO 27001 internal audit. It covers the following topics:
- What is an ISO 27001 internal audit?
- Why are ISO 27001 internal audits important?
- How to plan and conduct an ISO 27001 internal audit
- What to look for during an ISO 27001 internal audit
- How to report on the findings of an ISO 27001 internal audit
- Does ISO 27001 require an internal audit?
- What are ISO 27001 internal audit requirements?
- Where is an internal audit mandatory?
What is an ISO 27001 Internal Audit?
An ISO 27001 internal audit is an independent assessment of the ISMS to determine whether it is conforming to the requirements of ISO 27001 and whether it is operating effectively. The audit is conducted by an internal auditor who is independent of the ISMS being audited.
Why are ISO 27001 Internal Audits Important?
ISO 27001 internal audits are important for a number of reasons:
- To comply with ISO 27001: ISO 27001 requires organisations to conduct regular internal audits of their ISMS.
- To identify and address weaknesses in the ISMS: Internal audits can help organisations identify weaknesses in their information security management system (ISMS) before they are exploited by attackers.
- To improve the effectiveness of the ISMS: Internal audits can help organisations identify areas where the ISMS can be improved.
- To provide assurance to stakeholders: Internal audits can provide assurance to stakeholders that the ISMS is operating effectively and that the organisation is taking steps to protect its sensitive information.
Pass the external ISO 27001 audit in the first time with our 100% first-try pass rate
Our user-friendly web-based platform automates manual tasks while our in-house experts guide you every step of the way.
Does ISO 27001 require an internal audit?
Yes, ISO 27001 requires organisations to conduct regular internal audits of their information security management system. This is stated in Clause 9.2 of the standard, which states that:
The organisation shall conduct internal audits at planned intervals to provide information on whether the ISMS:
- conforms to the organisation's own requirements for its information security management system; and
- meets the requirements of this international standard.
The standard does not specify how often internal audits should be conducted, but it is recommended that they be conducted at least annually.
Internal audits are an important part of maintaining an effective ISMS. They help organisations to identify and address any weaknesses in their ISMS before they are exploited by attackers.
What are ISO 27001 internal audit requirements?
ISO 27001 audit requirements:
- The audit must be conducted by an independent auditor who is qualified to audit ISO 27001.
- The audit must be planned and conducted in accordance with a documented audit methodology.
- The audit must cover all aspects of the ISMS, including risk assessment, information security controls, ISMS documentation, awareness and training, and management review.
- The audit findings must be documented in a report that is submitted to the organisation's management.
Organisations that are certified according to ISO 27001 must also undergo an external audit by a certification body. There are two kinds of external audit, one conducted once annually called a surveillance audit where the ISMS will be reviewed as part of ongoing evaluation and the other known as a full external audit which is more in-depth and conducted every three years.
Benefits of ISO 27001 audit:
- Improved information security posture
- Reduced risk of information security incidents
- Increased compliance with regulations
- Improved customer confidence
- Competitive advantage
If you are considering implementing ISO 27001 or if you are already certified, it is important to ensure that you are conducting regular internal audits. Internal audits are an essential tool for maintaining an effective ISMS and protecting your organisation from information security threats.
Where is an internal audit mandatory?
An internal audit is not required by law or regulation. However, it is a good practice for all organisations to conduct regular internal audits of their information security and other management systems.
In order to comply with ISO 27001, all companies must conduct internal audits, no matter their country or industry.
Get ISO 27001 certified in as little as 3 months.
Save yourself budget, time, and effort while building an ISMS with our easy-to-use platform. Get ready for the ISO 27001:2022 audit with up to 75% less workload.
How to plan and conduct an ISO 27001 internal audit
To plan and conduct an ISO 27001 internal audit, organisations should follow the following steps:
- Define the scope of the audit: The first step is to define the scope of the audit. This includes identifying the ISMS processes and controls that will be audited.
- Develop an audit plan: The next step is to develop an audit plan. This plan should identify the audit objectives, the audit methodology, and the audit resources required.
- Conduct the audit: The audit should be conducted in accordance with the audit plan. This involves interviewing staff, reviewing documentation, and observing processes.
- Document the audit findings: The audit findings should be documented in a report. This report should include the audit objectives, the audit methodology, the audit findings, and any recommendations for improvement.
- Follow up on the audit findings: The organisation should follow up on the audit findings and implement any necessary corrective actions.
What to look for during an ISO 27001 internal audit
During an ISO 27001 internal audit, the auditor will look for evidence that the ISMS is conforming to the requirements of ISO 27001 and that it is operating effectively. The auditor will focus on the following areas and evidence that supports them:
- Risk assessment: The auditor will assess whether the organisation has conducted a thorough risk assessment and whether the identified risks have been appropriately addressed.
- Information security controls: The auditor will assess whether the organisation has implemented and is maintaining appropriate information security controls to mitigate the identified risks.
- ISMS documentation: The auditor will assess whether the ISMS is adequately documented. You can find a list of the required documentation for the ISO 27001 certification here.
- Awareness and training: The auditor will assess whether staff are aware of their information security responsibilities and have received appropriate training.
- Management review: The auditor will assess whether the organisation conducts regular management reviews of the ISMS.
How to report on the findings of an ISO 27001 internal audit
The audit findings should be documented in a report. This report should include the following:
- Audit objectives: The audit objectives should be clearly stated in the report.
- Audit methodology: The audit methodology should be described in the report. This includes the audit techniques that were used and the sampling methods that were applied.
- Audit findings: The audit findings should be described in the report. This includes a description of any weaknesses that were identified in the ISMS.
- Recommendations: The report should include any recommendations for improvement.
The audit report should be submitted to the organisation's management
up to 50%
Cheaper than external consultants
up to 300%
Increase your opt-in rate with Consent & Preference Management
3 months
Get audit-ready in as little as three months
100%
First-try pass rate in external audits on ISO 27001 and TISAX®
Saves up to 100 hours
of manual work to get ISO 27001 certified or TISAX® labels
Customers trust us
P I C
PRIVACY
External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts
INFOSEC
Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit
COMPLIANCE
Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates
ISO 27001:2022 requirements
Trusted and used by companies
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.