Major Update:Brand New Design Powered by Powerful Features.
ISO 27001 Audit

ISO 27001 Audit

Although an internal audit is critical to ISO 27001 compliance, the audit process can seem very complex for some organizations.
by
Marc Abbink
Quality Management
November 11, 2023

ISO 27001 Audit

Although an internal audit is crucial for ISO 27001 compliance, the audit process can seem very complex for some organizations. For a successful ISO 27001 audit on behalf of a fully-fledged information security management system (ISMS= Information Security Manaagement System), the following five stages are essential:

1) Scope and the pre-audit examination

Auditors should perform a risk analysis to determine the focus for the audit. This includes areas that are normally out of scope. Sources of information may include the results of a previous audit, previous ISMS reports or other documents such as ISMS policies.

First, the scope of the audit must be relevant to the organization. This means that it should match the scope of the ISMS being certified. In the case of large organizations, auditors should audit the ISMS used at all business locations. In a situation where there are many locations, a representative sample may suffice.

During the preliminary phase of research for the actual audit, auditors should also identify and approach key stakeholders in the ISMS. The purpose of this is to request the documentation that will be reviewed during the audit.

2) Planning and preparation

Once the scope of the ISMS audit is established, auditors should break it down in detail by generating an ISMS audit plan. In this plan, the timing and resources of the audit are agreed upon with management. Conventional project planning charts, such as Gantt, can be helpful here.

Audit plans identify and set boundaries around the remaining phases of the audit, often include "benchmarks" that describe specific opportunities for auditors to provide significant, interim updates to executives. Such updates allow auditors to raise critical issues about access to information. Such issues may also be important to management in advancing the audit process.

The timing of the specific tasks in the audit process is important to set appropriate priorities. That way, timely attention can be given to certain aspects that could potentially pose a major risk to the organization if the ISMS is found to be inadequate.

3) Fieldwork

Once an ISMS audit work plan is generated, auditors must collect data by interviewing employees, managers and other stakeholders involved in the ISMS. Collecting ISMS documents, printing, reviewing data and observing current ISMS processes also takes place during this phase. In addition, audit tests should be performed to validate those previously found, as well as the preparation of audit-related working papers documenting the tests performed.

The first phase of fieldwork usually includes an auditor's review of the prepared documentation related to and resulting from the ISMS. These findings may indicate that specific audit testing is needed to assess the proper functioning of the ISMS over ISO 27001.

4) Analysis

Audit information must be sorted, stored and assessed in relation to risks and established objectives. In an occasional case, an analysis may reveal gaps that create the need to conduct more audits. In that case, additional field testing cannot be ruled out as desirable.

5) Reporting

This essential part of the audit process usually consists of a number of key issues:

  • An introduction clarifying the scope, objectives, timing and extent of the work performed;
  • A summary with key findings, a brief analysis and a conclusion;
  • The intended recipients of the report and, in an incidental case, guidelines for classification and dissemination;
  • Detailed findings and analyses;
  • Conclusions and recommendations;
  • An auditor's report with detailed recommendations or limitations.

The draft audit report

The draft audit report should be presented to management for further discussion of the findings. Additional review and revision may be necessary because the final report usually relates to the management that created the action plan.

Written by

Marc Abbink

View Bio
De Safety Culture Ladder: bewust bezig met veiligheid

De Safety Culture Ladder: bewust bezig met veiligheid

Voor wie werk je als QHSE-manager? Voor de auditor of voor de mensen in je organisatie? Wij hopen natuurlijk op het laatste, maar wij kennen ook voorbeelden van het eerste.
Quality Management
November 11, 2023
What is quality management and why is it important?

What is quality management and why is it important?

Discover in 5 steps how to use quality management to reduce errors, save costs and increase customer satisfaction within the organization, products, processes or services you provide.
Quality Management
November 11, 2023
A management system for industry associations

A management system for industry associations

Trade associations and their members play an important role in our economy and society. They support businesses, bring professionals together and represent the interests of their sector.
Quality Management
November 11, 2023

Vermijd de chaos. Always in-control.

Plan een korte online demo
Plan geheel vrijblijvend jouw online demo
Contact
info@iso2handle.nl
+(31) 850 806 340
Landdrostlaan 51
7327 GM  Apeldoorn
The Netherlands
Starten
Plan gratis demoBrochures & whitepapersPrijzen
Resources
StatusNormenAVGVoorwaardenCookiebeleidPrivacybeleidChangelog

Wij geven superpowers aan
Quality & Riskmanagers

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© ISO2HANDLE | www.iso2handle.nl | Alle rechten voorbehouden | KVK nummer: 67160492 | BTW: NL856855236B01
Landdrostlaan 51, 7326GM, Apeldoorn, The Netherlands
5.0/5
op Google reviews