ISO 27001 Audit
Although an internal audit is crucial for ISO 27001 compliance, the audit process can seem very complex to some organizations. For a successful ISO 27001 audit on behalf of a fully-fledged information security management system (ISMS= Information Security Manaagement System), the following five stages are essential:
1) Scope and pre-audit examination
Auditors should perform a risk analysis to determine the focus for the audit. This includes areas that are normally out of scope. Sources of information may include the results of a previous audit, previous ISMS reports or other documents such as ISMS policies.
First, the scope of the audit must be relevant to the organization. This means that it should match the scope of the ISMS being certified. In the case of large organizations, auditors should audit the ISMS used at all business locations. In a situation where there are many locations, a representative sample may suffice.
During the preliminary phase of research for the actual audit, auditors should also identify and approach key stakeholders in the ISMS. The purpose of this is to request the documentation that will be reviewed during the audit.
2) Planning and preparation
Once the scope of the ISMS audit is established, auditors should break it down in detail by generating an ISMS audit plan. In this plan, the timing and resources of the audit are agreed upon with management. Conventional project planning charts, such as Gantt, can be helpful here.
Audit plans identify and set boundaries around the remaining phases of the audit, often include "benchmarks" that describe specific opportunities for auditors to provide significant, interim updates to executives. Such updates allow auditors to raise critical issues about access to information. Such issues can also be important to management in advancing the audit process.
The timing of the specific tasks in the audit process is important to set appropriate priorities. That way, timely attention can be given to certain aspects that could potentially pose a major risk to the organization if the ISMS is found to be inadequate.
3) Fieldwork
Once an ISMS audit work plan is generated, auditors must collect data by interviewing employees, managers and other stakeholders involved in the ISMS. Collecting ISMS documents, printing, reviewing data and observing current ISMS processes also takes place during this phase. In addition, audit tests should be performed to validate those previously found, as well as the preparation of audit-related working papers documenting the tests performed.
The first phase of fieldwork usually includes an auditor's review of the prepared documentation related to and resulting from the ISMS. These findings may indicate that specific audit testing is needed to assess the proper functioning of the ISMS over ISO 27001.
4) Analysis
Audit information must be sorted, stored and assessed in relation to risks and established objectives. In an occasional case, an analysis may reveal gaps that create the need to conduct more audits. In that case, additional field testing cannot be ruled out as desirable.
5) Reporting
This essential part of the audit process usually consists of a number of key issues:
- An introduction clarifying the scope, objectives, timing and extent of the work performed;
- A summary with key findings, a brief analysis and a conclusion;
- The intended recipients of the report and, occasionally, guidelines for classification and dissemination;
- Detailed findings and analyses;
- Conclusions and recommendations;
- An auditor's report with detailed recommendations or limitations.
The draft audit report
The draft audit report should be presented to management for further discussion of the findings. Additional review and revision may be necessary because the final report usually relates to the management that created the action plan.