ISO 27001 Audit
While an internal audit is critical to compliance with ISO 27001, the audit process can seem very complex for some organizations. For a successful ISO 27001 audit for a full-fledged information security management system (ISMS = Information Security Management System), the following five phases are essential:
1) Scope and pre-audit study
Auditors must perform a risk analysis to determine the focus for the audit. This also applies to areas that are normally out of reach. As sources of information, the results of a previously conducted study, previous ISMS reports, or other documents, such as the ISMS policy, can be used.
The scope of the audit must first of all be relevant to the organization. This means that it must match the scope of the ISMS that is being certified. In the case of large organizations, auditors must verify the ISMS that are used at all business locations. In a situation where there are many locations, a representative sample may suffice.
During the preliminary phase of the investigation for the purpose of the actual audit, auditors should also identify and approach key stakeholders in the ISMS. The purpose of this is to request the documentation that will be reviewed during the audit.
2) Planning and Preparation
Once the scope of the ISMS audit has been determined, auditors must break it down in detail by generating an ISMS audit plan. In this plan, the timing and resources of the audit are agreed with management. Conventional project planning charts, such as Gantt, can help with this.
Identifying audit plans and setting boundaries around the remaining stages of the audit often include “benchmarks” that describe specific opportunities for auditors to provide important, interim updates to executives. Such updates enable auditors to identify critical issues about access to information. Such issues can also be important for management for the progress of the audit process.
The timing of the specific tasks in the audit process is important to set the right priorities. In this way, timely attention can be given to certain aspects that may pose a major risk to the organization if the ISMS is found to be insufficient.
3) Fieldwork
Once an ISMS audit work plan has been generated, auditors must collect data by interviewing employees, managers, and other stakeholders involved in the ISMS. The collection of ISMS documents, printing, viewing data and observing current ISMS processes also take place in this phase. In addition, audit tests must be carried out to validate those previously found, as well as the preparation of working documents related to the audit documenting the tests carried out.
The first phase of field work usually includes an auditor's review of the documentation prepared in relation to and resulting from the ISMS. These findings may indicate that specific audit tests are necessary to ensure the proper functioning of the ISMS. ISO 27001 to review.
4) Analysis
The audit evidence must be sorted, stored and assessed in relation to the risks and the established objectives. In an occasional case, an analysis can show gaps that create the need to carry out more audits. In that case, it cannot be ruled out that additional field tests are desirable.
5) Reporting
This essential part of the audit process usually consists of a number of important things:
- An introduction to clarify the scope, objectives, timing and scope of the work carried out;
- A summary with key findings, a brief analysis and a conclusion;
- The intended recipients of the report and, in an occasional case, classification and dissemination guidelines;
- Detailed findings and analyses;
- Conclusions and recommendations;
- An auditor's statement with detailed recommendations or limitations.
The draft audit report
The draft audit report should be submitted to management to further discuss the findings. An additional review and review may be necessary because the final report usually relates to the management that drew up the action plan.
Quality, Health, Safety and Environment?
