Internal Audit Program (Clause 9.2)
Clause 9.2 requires you to conduct internal audits at planned intervals to verify your ISMS conforms to requirements and is effectively implemented and maintained.
Understanding Internal Audits
What is an Internal Audit?
An internal audit is a systematic, independent, and documented examination of your ISMS to determine whether:
- ISMS activities and results conform to planned arrangements
- ISMS is effectively implemented and maintained
- ISMS meets ISO 27001 requirements
- Your organization's own ISMS requirements are fulfilled
Why Internal Audits are Critical
For ISO 27001 Certification:
- Mandatory requirement (Clause 9.2)
- Prepare for external certification audits
- Identify and fix issues before certifiers find them
- Demonstrate commitment to compliance
For Your Organization:
- Verify controls are working as intended
- Identify improvement opportunities
- Ensure procedures are being followed
- Validate risk treatment effectiveness
- Drive continuous improvement culture
For Stakeholders:
- Provide assurance
- Demonstrate due diligence
- Build confidence
- Show accountability
Clause 9.2 Requirements
9.2.1 Plan the Audit Program
You must conduct internal audits at planned intervals, considering:
Importance of Processes and Areas:
- Critical systems and high-risk areas more frequently
- Less critical areas less frequently
- Risk-based audit scheduling
Changes Affecting the Organization:
- After significant changes (systems, processes, structure)
- Following security incidents
- When new risks emerge
- After control implementations
Results of Previous Audits:
- Areas with previous findings get re-audited sooner
- Areas that performed well may have extended intervals
- Follow-up on corrective actions
9.2.2 Define Audit Criteria and Scope
For Each Audit:
- Define what standards/requirements to audit against (ISO 27001, internal policies)
- Determine which areas, processes, controls to audit
- Establish timeframe and depth of examination
- Document audit objectives
9.2.3 Select Competent Auditors
Auditor Requirements:
- Ensure objectivity and impartiality
- Auditors cannot audit their own work
- Must have appropriate training and competence
- Should understand ISO 27001 and your ISMS
9.2.4 Ensure Audit Results Reach Management
Reporting Requirements:
- Report audit findings to relevant management
- Inform those responsible for audited areas
- Escalate significant findings
- Document all findings
9.2.5 Retain Documented Information
Evidence Requirements:
- Audit programs
- Audit plans
- Audit reports
- Evidence of audit implementation
- Proof of results being reported
Take Corrective Action
Post-Audit Actions:
- Correct nonconformities without undue delay
- Address root causes
- Implement corrective actions
- Verify effectiveness of corrections
Building Your Internal Audit Program
Audit Program Structure
An audit program is your multi-year plan for systematically auditing all aspects of your ISMS.
Define Audit Frequency:
| ISMS Component | Audit Frequency | Rationale |
|---|---|---|
| Critical controls (access control, encryption, backup) | Every 6 months | High risk, essential to security |
| Standard controls (physical security, training) | Annually | Moderate risk, stable processes |
| Low-risk areas (some documentation processes) | Every 1-2 years | Lower risk, infrequent changes |
| Recently implemented controls | Within 3-6 months of implementation | Verify proper implementation |
| Areas with previous findings | 3-6 months after corrective action | Verify effectiveness of corrections |
| Areas with changes | Soon after significant change | Ensure changes properly implemented |
| Complete ISMS coverage | Over 1-3 year cycle | Ensure all areas audited regularly |
Annual Audit Schedule Example:
| Quarter | Audit Focus | Scope | Auditor |
|---|---|---|---|
| Q1 | Risk Management & Context | Clauses 4, 6 | External consultant |
| Q1 | Access Control & Cryptography | Controls A.5, A.8.1-8.11 | Internal IT Security |
| Q2 | Incident Management & BCM | Clause 8.2, Controls A.5.23-5.30 | Internal Risk Manager |
| Q2 | Physical & Environmental Security | Controls A.7 | Internal Facilities Manager |
| Q3 | People Security & Awareness | Controls A.6, Clause 7.2-7.3 | Internal HR |
| Q3 | Network & Application Security | Controls A.8.18-8.34 | External security specialist |
| Q4 | Monitoring & Improvement | Clauses 9, 10 | Internal Quality Manager |
| Q4 | Documentation & Management Review | Clause 7.5, 9.3 | Internal Internal Audit Lead |
Audit Types
Comprehensive ISMS Audit:
- Covers all ISO 27001 clauses
- Reviews all Annex A controls
- Typically annual
- Often prior to certification/recertification
Focused Process Audit:
- Examines specific processes (e.g., incident management)
- Verifies procedures are followed
- Checks effectiveness
- Quarterly or as-needed
Control Effectiveness Audit:
- Tests specific security controls
- Validates controls work as designed
- Includes technical testing
- Risk-based frequency
Compliance Audit:
- Checks adherence to specific requirements
- May focus on legal/regulatory compliance
- Reviews policy compliance
- As required by regulations
Follow-Up Audit:
- Verifies corrective actions implemented
- Checks effectiveness of corrections
- Confirms nonconformities closed
- 3-6 months after initial finding
Auditor Selection and Competence
Auditor Requirements
Knowledge and Skills:
- Understanding of ISO 27001 requirements
- Knowledge of audit principles and techniques
- Awareness of information security principles
- Understanding of your organization's context
- Familiarity with audited processes
Personal Attributes:
- Objective and impartial
- Professional and ethical
- Diplomatic but assertive
- Good communicator
- Detail-oriented
Ensuring Independence
Auditor Independence Rules:
- Auditors must NOT audit their own work
- Auditors should NOT audit areas they are responsible for
- Auditors should NOT have conflicts of interest
- Rotation of auditors recommended
Independence Options:
| Audit Area | Good Auditor Choices | Poor Choices |
|---|---|---|
| IT Security Controls | HR Manager, Quality Manager, External Consultant | IT Security Manager (responsible for controls) |
| HR Security Processes | IT Manager, Compliance Officer, External Consultant | HR Manager (responsible for HR processes) |
| Physical Security | IT Security Manager, External Consultant | Facilities Manager (responsible for physical security) |
| Risk Management | Quality Manager, External Consultant | Risk Manager (responsible for risk process) |
| Documentation Control | Any competent auditor | Document Controller (responsible for documents) |
Training Your Auditors
ISO 27001 Auditor Training:
- Internal auditor courses (typically 2-3 days)
- Understanding ISO 27001 requirements
- Audit planning and conducting techniques
- Writing findings and reports
- Corrective action follow-up
Ongoing Development:
- Participate in multiple audits to gain experience
- Shadow experienced auditors
- Review audit reports from external auditors
- Stay current with ISO 27001 updates
- Attend refresher training
Building an Auditor Team
Small Organization Approach:
- Train 2-3 staff members as auditors
- Supplement with external consultants for independence
- Cross-train from different departments
- Consider hiring external lead auditor
Larger Organization Approach:
- Establish internal audit function
- Train auditors from multiple departments
- Create auditor competency program
- Maintain auditor qualification records
Audit Program Management
Audit Program Document
Your audit program should be documented and include:
Program Scope:
- All ISMS components to be audited
- Applicable ISO 27001 clauses
- Relevant Annex A controls
- Organizational scope boundaries
Audit Frequency:
- Planned intervals for each area
- Risk-based scheduling rationale
- Considerations for triggering additional audits
Audit Methods:
- Interviews
- Document reviews
- Observations
- Technical testing
- Sample checking
Responsibilities:
- Audit program manager
- Auditors for each area
- Auditee responsibilities
- Management responsibilities
Resources:
- Auditor time allocation
- Budget for external auditors if needed
- Tools and access requirements
- Training needs
Reporting:
- Reporting lines
- Report format and content
- Distribution lists
- Escalation procedures
Annual Audit Planning
At the Start of Each Year:
-
Review Previous Year:
- What was audited
- Findings and trends
- Coverage gaps
- Lessons learned
-
Assess Current State:
- Changes in the organization
- New risks or controls
- Previous audit results
- Upcoming certification audits
-
Plan Current Year:
- Schedule audits to ensure full ISMS coverage over cycle
- Prioritize high-risk and changed areas
- Assign auditors ensuring independence
- Set audit dates
-
Document Plan:
- Create annual audit schedule
- Communicate to management and auditees
- Get management approval
- Maintain flexibility for unplanned audits
Managing the Audit Program
Responsibilities of Audit Program Manager:
- Maintain the audit program document
- Schedule and plan individual audits
- Select and assign auditors
- Ensure auditor competence and independence
- Track audit completion
- Monitor corrective action closure
- Report program status to management
- Coordinate with external certification audits
Program Monitoring:
- Track audits completed vs. planned
- Monitor finding closure rates
- Assess auditor performance
- Review program effectiveness
- Adjust program based on results
Integration with Other Processes
Internal Audit and Risk Management
- Audit high-risk areas more frequently
- Audit findings may identify new risks
- Use risk assessment to prioritize audit focus
Internal Audit and Incidents
- Incidents may trigger unplanned audits
- Audit findings may reveal incident causes
- Audit effectiveness of incident response
Internal Audit and Management Review
- Audit results are input to management review
- Management review may direct audit focus
- Both drive continual improvement
Internal Audit and Certification Audits
- Internal audits prepare for external audits
- Internal audit schedule aligns with certification cycle
- Internal auditors learn from certification auditors
Evidence for Certification Audits
Auditors Will Want to See:
- Documented internal audit program
- Annual audit plans and schedules
- Completed audit reports for all ISMS areas
- Evidence of auditor competence and independence
- Records of findings and corrective actions
- Proof that findings were reported to management
- Evidence of management review of audit results
- Demonstration of continual improvement from audit findings
Common Audit Findings:
- Insufficient audit frequency (not all areas audited in reasonable timeframe)
- Lack of auditor independence (people auditing their own work)
- Incomplete audit scope (missing ISO 27001 clauses or controls)
- No evidence of corrective actions for findings
- Auditor competence not demonstrated
- Audit results not reported to management
Next Lesson: We'll create a detailed Audit Procedure to guide your auditors through conducting effective internal audits.