On your journey toward ISO 27001 compliance and even after you’re certified, you’ll need to perform internal audits. These audits help you pass your ISO 27001 audit and help you maintain the strength of your information security management system (ISMS) as it evolves over time.
In this article, we’ll cover what an internal ISO 27001 audit is, what the requirements are for compliance, and the steps for conducting an internal audit on your ISMS.
What is an ISO 27001 internal audit?
Many compliance frameworks either require or suggest that you perform an internal audit ahead of your official audit. In many cases, these are audits you perform internally to determine your readiness for your formal audit. For ISO 27001 certification, internal audits are required to be compliant.
An internal ISO 27001 audit is an analysis of your ISMS and a risk assessment. In Clause 9.2 of the framework, it states that these audits must be performed at least once a year. This ensures you’re maintaining your strong security posture and closing any compliance gaps that may arise.
{{cta_withimage2="/cta-modules"}}
What is the goal of an ISO 27001 internal audit?
The purpose of ISO 27001 internal audits is to ensure your ISMS stays secure. A new security risk can develop at any time due to changes in your ISMS, such as a software update or a change in the vendor you’re using for cloud data storage. ISO 27001 internal audits are designed to keep your ISMS protected for the long term and help you prepare for the external ISO 27001 audit.
Who can perform an ISO 27001 internal audit?
While an ISO 27001 internal audit is a required part of the compliance process, it isn’t done by the auditors that will provide you with your certification. Your internal audit needs to be performed by someone who understands ISO 27001 enough to perform an internal audit and prepare an internal audit report, but that person does not need to be credentialed as an auditor.
Many organizations select a member of their internal staff, who is not responsible for any part of the ISMS, to conduct their internal audits. You can also hire a third-party consulting firm to perform your internal audit.
How to conduct an ISO 27001 internal audit
The process of performing an annual ISO 27001 internal audit generally consists of these six steps:
Step 1: Define internal audit scope
An ISO 27001 internal audit starts with getting an understanding of your ISMS, the ISO 27001 requirements, and determining which controls to assess. This can be guided by the Statement of Applicability you’ve prepared for your audit.
In this stage, you’ll also choose an internal auditor. Whether this person is part of your staff or an outside consultant, ensure that they understand the scope of your audit.
Step 2: Review documentation
Ahead of your internal audit, the auditor should review your documentation to ensure that you have the evidence and paperwork needed for ISO 27001 compliance. These documents include:
- ISMS Scope Statement: Describes the scope of your ISMS.
- ISMS Statement of Applicability: Details which ISO 27001 Annex A controls you’ve implemented or omitted, your reasoning, and how you’ve implemented the applicable controls.
- Information Security Policy: Explains your organization’s commitment and philosophy for information security.
- Risk assessment and risk treatment plan: Identifies the information security risks based on your operations and provides a plan for minimizing those risks.
- ISMS management review meeting minutes: Shares the discussion among leadership regarding the ISMS and how it’s aligned with your organization’s goals and operations.
- ISMS Corrective Action Report or gap analysis: Identifies how your organization will address any gaps in your compliance as they arise.
- Business Continuity Policy: Provides a plan for how your organization will continue to function and provide critical services if a data breach occurs.
Your internal auditor should verify that all of these documents exist, are up-to-date, and accurate.
Step 3: Undergo the internal audit
After the documentation review, your internal auditor will perform the internal audit. This involves looking at each ISO 27001 clause and Annex A control you’ve implemented and verifying that each of them meet the standards of ISO 27001. It can take some time to complete this audit because there are so many controls working together, but the goal is to ensure that your ISMS is thorough and your data is secure.
Step 4: Evaluate and document the results
When conducting the internal audit, your auditor will take detailed notes of their findings. These notes will include a record of how and where they verified the applicable security controls. After completing the audit, they’ll review these notes and take stock of which controls “passed” the audit and which may be missing or are no longer functioning properly.
Step 5: Prepare the internal audit report
When your internal auditor is done investigating your ISMS, they will prepare an internal audit report. This is required as you’ll need to present this report to your auditor during your official ISO 27001 certification audit to prove that you’ve been conducting internal audits.
The internal audit reports should include five components:
- Introduction: An overview of the scope of the audit and the audit’s objectives.
- Executive summary: The internal auditor’s key findings including their determination of whether or not you’re compliant.
- Report guidance: Recommendations of who should review the report and whether or not it should be classified as a confidential document.
- Audit findings: A detailed account of the controls the auditor assessed and what they found about how well-implemented and effective these controls are.
- Audit limitations: A statement noting any limitations to the scope of the audit.
Step 6: Management review
Now that you have the valuable takeaways from your internal audit, it’s time to review that report and make any necessary changes or updates to your ISMS. Your leadership team should review the internal audit report in detail and use it to identify actions to take for enhanced security. If the internal report finds that your organization is ready for your official ISO 27001 certification audit, you’ll proceed to getting an external audit.
ISO 27001 internal audit FAQs
We’ve answered some of the most common questions about ISO 27001 internal audits below:
Does ISO 27001 require an internal audit?
Yes, unlike other information security standards, internal audits are required for ISO 27001 compliance. According to Clause 9.2 of ISO 27001, an internal audit must be performed at least once per year to ensure that you’re maintaining security best practices.
What are the different types of ISO 27001 internal audits?
There are three types of internal ISO 27001 audits you could conduct:
- System audit: A comprehensive internal audit that assesses your ISO 27001 compliance throughout your entire ISMS.
- Process audit: A review of only specific processes within your ISMS.
- Product audit: An audit of the information security of a specific product or service your organization offers.
While process audits and product audits can be used to look only at specific aspects of your ISMS, you’ll need to have at least one full internal system audit every year to be ISO 27001 compliant.
How long does an ISO 27001 internal audit take?
There’s no clear-cut timeline for an ISO 27001 internal audit. The length of time it takes will vary greatly depending on the complexity of your ISMS, the familiarity and skill of the person conducting the internal audit, how well-prepared you are for the audit, and other factors.
Streamline your internal ISO 27001 audit
By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo.
{{cta_testimonial3="/cta-modules"}}
Preparing for an ISO 27001 audit
Your guide to internal ISO 27001 audits
Preparing for an ISO 27001 audit
Your guide to internal ISO 27001 audits
Download the checklist
Preparing for an ISO 27001 audit
On your journey toward ISO 27001 compliance and even after you’re certified, you’ll need to perform internal audits. These audits help you pass your ISO 27001 audit and help you maintain the strength of your information security management system (ISMS) as it evolves over time.
In this article, we’ll cover what an internal ISO 27001 audit is, what the requirements are for compliance, and the steps for conducting an internal audit on your ISMS.
What is an ISO 27001 internal audit?
Many compliance frameworks either require or suggest that you perform an internal audit ahead of your official audit. In many cases, these are audits you perform internally to determine your readiness for your formal audit. For ISO 27001 certification, internal audits are required to be compliant.
An internal ISO 27001 audit is an analysis of your ISMS and a risk assessment. In Clause 9.2 of the framework, it states that these audits must be performed at least once a year. This ensures you’re maintaining your strong security posture and closing any compliance gaps that may arise.
{{cta_withimage2="/cta-modules"}}
What is the goal of an ISO 27001 internal audit?
The purpose of ISO 27001 internal audits is to ensure your ISMS stays secure. A new security risk can develop at any time due to changes in your ISMS, such as a software update or a change in the vendor you’re using for cloud data storage. ISO 27001 internal audits are designed to keep your ISMS protected for the long term and help you prepare for the external ISO 27001 audit.
Who can perform an ISO 27001 internal audit?
While an ISO 27001 internal audit is a required part of the compliance process, it isn’t done by the auditors that will provide you with your certification. Your internal audit needs to be performed by someone who understands ISO 27001 enough to perform an internal audit and prepare an internal audit report, but that person does not need to be credentialed as an auditor.
Many organizations select a member of their internal staff, who is not responsible for any part of the ISMS, to conduct their internal audits. You can also hire a third-party consulting firm to perform your internal audit.
How to conduct an ISO 27001 internal audit
The process of performing an annual ISO 27001 internal audit generally consists of these six steps:
Step 1: Define internal audit scope
An ISO 27001 internal audit starts with getting an understanding of your ISMS, the ISO 27001 requirements, and determining which controls to assess. This can be guided by the Statement of Applicability you’ve prepared for your audit.
In this stage, you’ll also choose an internal auditor. Whether this person is part of your staff or an outside consultant, ensure that they understand the scope of your audit.
Step 2: Review documentation
Ahead of your internal audit, the auditor should review your documentation to ensure that you have the evidence and paperwork needed for ISO 27001 compliance. These documents include:
- ISMS Scope Statement: Describes the scope of your ISMS.
- ISMS Statement of Applicability: Details which ISO 27001 Annex A controls you’ve implemented or omitted, your reasoning, and how you’ve implemented the applicable controls.
- Information Security Policy: Explains your organization’s commitment and philosophy for information security.
- Risk assessment and risk treatment plan: Identifies the information security risks based on your operations and provides a plan for minimizing those risks.
- ISMS management review meeting minutes: Shares the discussion among leadership regarding the ISMS and how it’s aligned with your organization’s goals and operations.
- ISMS Corrective Action Report or gap analysis: Identifies how your organization will address any gaps in your compliance as they arise.
- Business Continuity Policy: Provides a plan for how your organization will continue to function and provide critical services if a data breach occurs.
Your internal auditor should verify that all of these documents exist, are up-to-date, and accurate.
Step 3: Undergo the internal audit
After the documentation review, your internal auditor will perform the internal audit. This involves looking at each ISO 27001 clause and Annex A control you’ve implemented and verifying that each of them meet the standards of ISO 27001. It can take some time to complete this audit because there are so many controls working together, but the goal is to ensure that your ISMS is thorough and your data is secure.
Step 4: Evaluate and document the results
When conducting the internal audit, your auditor will take detailed notes of their findings. These notes will include a record of how and where they verified the applicable security controls. After completing the audit, they’ll review these notes and take stock of which controls “passed” the audit and which may be missing or are no longer functioning properly.
Step 5: Prepare the internal audit report
When your internal auditor is done investigating your ISMS, they will prepare an internal audit report. This is required as you’ll need to present this report to your auditor during your official ISO 27001 certification audit to prove that you’ve been conducting internal audits.
The internal audit reports should include five components:
- Introduction: An overview of the scope of the audit and the audit’s objectives.
- Executive summary: The internal auditor’s key findings including their determination of whether or not you’re compliant.
- Report guidance: Recommendations of who should review the report and whether or not it should be classified as a confidential document.
- Audit findings: A detailed account of the controls the auditor assessed and what they found about how well-implemented and effective these controls are.
- Audit limitations: A statement noting any limitations to the scope of the audit.
Step 6: Management review
Now that you have the valuable takeaways from your internal audit, it’s time to review that report and make any necessary changes or updates to your ISMS. Your leadership team should review the internal audit report in detail and use it to identify actions to take for enhanced security. If the internal report finds that your organization is ready for your official ISO 27001 certification audit, you’ll proceed to getting an external audit.
ISO 27001 internal audit FAQs
We’ve answered some of the most common questions about ISO 27001 internal audits below:
Does ISO 27001 require an internal audit?
Yes, unlike other information security standards, internal audits are required for ISO 27001 compliance. According to Clause 9.2 of ISO 27001, an internal audit must be performed at least once per year to ensure that you’re maintaining security best practices.
What are the different types of ISO 27001 internal audits?
There are three types of internal ISO 27001 audits you could conduct:
- System audit: A comprehensive internal audit that assesses your ISO 27001 compliance throughout your entire ISMS.
- Process audit: A review of only specific processes within your ISMS.
- Product audit: An audit of the information security of a specific product or service your organization offers.
While process audits and product audits can be used to look only at specific aspects of your ISMS, you’ll need to have at least one full internal system audit every year to be ISO 27001 compliant.
How long does an ISO 27001 internal audit take?
There’s no clear-cut timeline for an ISO 27001 internal audit. The length of time it takes will vary greatly depending on the complexity of your ISMS, the familiarity and skill of the person conducting the internal audit, how well-prepared you are for the audit, and other factors.
Streamline your internal ISO 27001 audit
By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo.
{{cta_testimonial3="/cta-modules"}}
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
Vanta has made our lives much easier. Instead of compliance being a chaotic, complex process, Vanta is a simple platform that we manage.”
Peter Simpson-Young Key Accounts and Compliance Coordinator | Coviu
Explore more ISO 27001 articles
Introduction to ISO 27001
ISO 27001 requirements
Preparing for an ISO 27001 audit
Streamlining ISO 27001 compliance
Understanding ISO differences
Get started with ISO 27001
Start your ISO 27001 journey with these related resources.
The ISO 27001 Compliance Checklist
ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.
ISO 27001 Compliance for SaaS
On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.
ISO 27001 vs. SOC 2: Which standard is right for my business?
Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.