ISO 27001 Clause 9.2 Internal audit

ISO 27001 Clause 9.2 Internal audit


ISO 27001 Clause 9.2 Internal audit, The organization conducts internal audits to supply information on conformity of the ISMS to the wants.

Implementation Guideline

Evaluating an ISMS at planned intervals by means of internal audits provides assurance of the status of the ISMS to top management. Auditing is characterized by variety of principles: integrity; fair presentation; due professional care; confidentiality; independence; and evidence-based approach (see ISO 19011). Internal audits provide information on whether the ISMS conform to the organization’s own requirements for its ISMS also on the wants in ISO/IEC 27001.

Related Products:ISO 27001 Lead Auditor Training & Certification
The organization’s own requirements include:
  1. Requirements stated within the information security policy and procedures;
  2. Requirements produced by the framework for setting Information security objectives, including outcomes of the danger treatment process;
  3. Legal and contractual requirements;
  4. Requirements on the documented information.

Auditors also evaluate whether the ISMS is effectively implemented and maintained. An audit program describes the general framework for a group of audits, planned for specific time frames and directed towards specific purposes. This is often different from an audit plan, which describes the activities and arrangements for a selected audit. Audit criteria are a group of policies, procedures or requirements used as a reference against which audit evidence is compared, i.e. the audit criteria describe what the auditor expects to be in situation. An internal audit can identify nonconformities, risks and opportunities. Nonconformities are managed consistent with requirements. Risks and opportunities are managed consistent with requirements. The organization is required to retain documented information about audit program and audit results.

Managing an audit program

An audit program defines the structure and responsibilities for planning, conducting, reporting and following abreast of individual audit activities. intrinsically it should make sure that audits conducted are appropriate, have the proper scope, minimize the impact on the operations of the organization and maintain the required quality of audits. An audit program should also make sure the competence of audit teams, appropriate maintenance of audit records, and therefore the monitoring and review of the operations, risks and effectiveness of audits. Further, an audit program should make sure that the ISMS (i.e. all relevant processes, functions and controls) is audited within a specified time frame. Finally, an audit program should include documented information about types, duration, locations, and schedule of the audits.

The extent and frequency of internal audits should be supported the dimensions and nature of the organization also as on the character , functionality, complexity and therefore the level of maturity of the ISMS (risk-based auditing).The effectiveness of the implemented controls should be examined within the scope of internal audits.

An audit program should be designed to make sure coverage of all necessary controls and will include evaluation of the effectiveness of selected controls over time. Key controls (according to the audit program) should be included in every audit whereas controls implemented to manage lower risks could also be audited less frequently. The audit program should also consider that processes and controls should are operational for a few time to enable evaluation of suitable evidence.

Internal audits concerning an ISMS are often performed effectively as a neighborhood of, or together with, other internal audits of the organization. The audit program can include audits associated with one or more management system standards, conducted either separately or together. An audit program should include documented information about: audit criteria, audit methods, selection of audit teams, processes for handling confidentiality, information security, health and safety provisions for auditors, and other similar matters.

Competence and evaluation of auditors

Regarding competence and evaluation of auditors, the organization should:

  1. Identify competence requirements for its auditors;
  2. Select internal or external auditors with the acceptable competence;
  3. Have a process in place for monitoring the performance of auditors and audit teams; and
  4. Include personnel on internal audit teams that have appropriate sector specific and knowledge security knowledge.

Auditors should be selected considering that they should to be competent, independent, and adequately trained. Selecting internal auditors are often difficult for smaller companies. If the required resources and competence aren’t available internally, external auditors should be appointed. When organizations use external auditors, they ought to make sure that they have acquired enough knowledge about the context of the organization. This information should be supplied by internal staff.

Also Read:ISO 27001 Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation

Organizations should consider that internal employees acting as internal auditors are often ready to perform detailed audits considering the organization’s context, but might not have enough knowledge about performing audits. Organizations should then recognize characteristics and potential shortcomings of internal versus external auditors and establish suitable audit teams with the required knowledge and competence.

Performing the audit

When performing the audit, the audit team leader should prepare an audit plan considering results of previous audits and therefore the got to follow abreast of previously reported nonconformists and unacceptable risks. The audit plan should be retained as documented information and will include criteria, scope and methods of the audit.

The audit team should review:
  1. Adequacy and effectiveness of processes and determined controls;
  2. Fulfillment of data security objectives;
  3. Compliance with requirements defined in ISO/IEC 27001:2013, Clauses 4 to 10;
  4. Compliance with the organization’s own information security requirements;
  5. Consistency of the Statement of Applicability against the result of the knowledge security risk treatment process;
  6. Consistency of the particular information security risk treatment plan with the identified assessed risks and therefore the risk acceptance criteria;
  7. Relevance (considering organization’s size and complexity) of management review inputs and outputs;
  8. Impacts of management review outputs (including improvement needs) on the organization.

The extent and reliability of obtainable monitoring over the effectiveness of controls as produced by the ISMS (see 9.1) may allow the auditors to scale back their own evaluation efforts, provided they need confirmed the effectiveness of the measurement methods.

If the result of the audit includes nonconformities, the audit should prepare an action plan for every nonconformity to be agreed with the audit team leader.

A follow-up action plan typically includes:
  1. Description of the detected nonconformity;
  2. Description of the cause(s) of nonconformity;
  3. Description of short term correction and long run corrective action to eliminate a detected nonconformity within an outlined time frame;
  4. The persons liable for implementing the plan.

Audit reports, with audit results, should be distributed to top management. Results of the previous audits should be reviewed and therefore the audit program adjusted to raised manage areas experiencing higher risks thanks to nonconformity.ISO 27001 Clause 9.2 Internal audit

Other information

Further information are often found in ISO 19011, which provides general guidance on auditing management systems, including the principles of auditing, managing an audit program and conducting management system audits. It also provides guidance on the evaluation of competence of persons or group of individuals involved within the audit, including the person managing the audit program , auditors and audit teams.

Also, additionally to the guidance contained in ISO 19011, further information are often found in:

  1. a) (ISO/IEC 270071), which provides specific guidance on managing an ISMS audit program , on conducting the audits, and on the competence of ISMS auditors; and
  2. b) (ISO/IEC 270081), which provides guidance on assessing information security controls.

Questions related to this topic

  1. Explain ISO 27001 Clause 9.2 Internal audit ?

ISO 27001 Requirements

Clause 4.2 Understanding the needs and expectations of interested parties & Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities & Clause 7.1 Resources
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.2 Competence , Clause 7.3 Awareness & Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control, Clause 8.2 Information security risk assessment & Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us –


Leave a Comment

Your email address will not be published. Required fields are marked *