Internal Audit Procedure Template

This procedure defines the step-by-step process for conducting internal audits of your Information Security Management System (ISMS).

1. Purpose

To establish a systematic approach for planning, conducting, reporting, and following up on internal ISMS audits in accordance with ISO 27001 Clause 9.2.

2. Scope

This procedure applies to all internal audits of the ISMS, covering:

• ISO 27001 requirements (Clauses 4-10)
• Annex A security controls as defined in the Statement of Applicability
• ISMS policies, procedures, and processes
• All locations and departments within the ISMS scope

3. Responsibilities

Audit Program Manager

• Maintain the internal audit program
• Develop annual audit schedule
• Assign auditors to specific audits
• Ensure auditor competence and independence
• Track audit completion and corrective action closure
• Report audit program status to top management

Lead Auditor (for each audit)

• Plan the specific audit
• Lead the audit team
• Conduct opening and closing meetings
• Prepare audit report
• Submit report to management
• Verify corrective action effectiveness

Auditors

• Prepare for assigned audits
• Conduct audit activities (interviews, reviews, observations)
• Document findings and evidence
• Support lead auditor
• Maintain objectivity and confidentiality

Auditees (Process Owners/Managers)

• Provide requested documentation
• Make personnel available for interviews
• Facilitate access to systems and facilities
• Respond to audit findings
• Implement corrective actions
• Provide evidence of corrective action completion

Top Management

• Approve annual audit program
• Review audit results
• Ensure resources for corrective actions
• Support audit program

4. Audit Process Overview

The internal audit process follows these phases:

1. Annual Planning - Develop audit program and schedule
2. Audit Preparation - Plan specific audit
3. Opening Meeting - Introduce audit team and confirm scope
4. Audit Execution - Gather and evaluate evidence
5. Closing Meeting - Present preliminary findings
6. Audit Reporting - Document and distribute audit report
7. Corrective Action - Implement and verify corrections
8. Follow-Up - Verify effectiveness of corrective actions

5. Detailed Procedure

5.1 Annual Audit Planning

Timing: Q4 of previous year

Steps:

1. Review Previous Audit Cycle:

   • Analyze findings and trends from previous audits
   • Identify areas with recurring issues
   • Assess coverage completeness

2. Consider Risk and Change:

   • Review risk assessment for high-risk areas
   • Identify areas with significant changes
   • Note new controls or processes implemented
   • Consider results of monitoring and measurement

3. Develop Annual Schedule:

   • Ensure all ISMS components covered over 1-3 year cycle
   • Prioritize high-risk areas for more frequent audits
   • Schedule follow-up audits for previous findings
   • Align with certification audit schedule if applicable

4. Assign Resources:

   • Select auditors ensuring independence
   • Identify need for external auditors if required
   • Estimate time requirements
   • Allocate budget

5. Document and Approve:

   • Create annual audit schedule document
   • Submit to top management for approval
   • Communicate schedule to process owners
   • Publish schedule to relevant stakeholders

Output: Approved Annual Internal Audit Schedule

5.2 Audit Preparation (Individual Audit)

Timing: 4-6 weeks before audit date

Steps:

1. Define Audit Scope and Objectives:

   • Specify which ISO 27001 clauses/controls to audit
   • Identify processes, locations, departments included
   • Define audit criteria (standards, policies, procedures)
   • Establish audit objectives
   • Set audit duration and dates

2. Assign Audit Team:

   • Select lead auditor
   • Assign additional auditors if needed
   • Verify auditor independence (cannot audit own work)
   • Confirm auditor availability

3. Review Background Information:

   • Previous audit reports for this area
   • Risk assessment relevant to audit scope
   • Applicable policies and procedures
   • Recent incidents or changes
   • Monitoring results for this area

4. Develop Audit Plan:

   • Create detailed audit schedule (times, locations, interviewees)
   • Prepare audit checklist (see Audit Checklist template)
   • Identify documents to review
   • List records to sample
   • Determine technical tests if applicable

5. Communicate with Auditees:

   • Send audit notification (minimum 2 weeks advance notice)
   • Provide audit scope and schedule
   • Request access to documentation
   • Confirm availability of key personnel
   • Coordinate logistics (meeting rooms, system access)

Output: Audit Plan and Checklist

5.3 Opening Meeting

Timing: Start of audit

Duration: 15-30 minutes

Attendees: Audit team, auditees (process owners, key staff), management representative

Agenda:

1. Introductions:

   • Introduce audit team members
   • Confirm attendees

2. Confirm Audit Details:

   • Review audit scope and objectives
   • Confirm audit criteria (standards being audited against)
   • Review audit schedule and timeline
   • Clarify any exclusions or limitations

3. Explain Audit Process:

   • How evidence will be gathered (interviews, document reviews, observations)
   • Sampling approach
   • Confidentiality and objectivity
   • Classification of findings (major, minor, observations)

4. Administrative Arrangements:

   • Confirm availability of interviewees
   • Access to documentation and systems
   • Meeting room locations
   • Safety and security requirements
   • Communication channels during audit

5. Q&A:

   • Address any questions or concerns
   • Clarify expectations

6. Confirm Closing Meeting:

   • Date, time, location for closing meeting
   • Who should attend

Output: Opening meeting minutes (brief notes)

5.4 Audit Execution

Activities:

Document Review

• Review policies, procedures, work instructions
• Examine records, logs, reports
• Check for completeness, currency, approval
• Verify alignment with ISO 27001 requirements
• Sample records to verify implementation

Interviews

• Interview process owners and responsible personnel
• Ask open-ended questions
• Listen actively and take notes
• Verify understanding of procedures
• Assess awareness and competence
• Cross-reference responses with documentation

Observations

• Observe processes in action
• Tour physical facilities
• Witness control operations
• Check physical security measures
• Observe staff performing procedures

Technical Testing

• Test access controls (attempt unauthorized access)
• Review system logs
• Check backup integrity
• Verify encryption implementation
• Test firewall rules
• Assess vulnerability scan results

Evidence Collection

• Document all findings with objective evidence
• Take photos if relevant (with permission)
• Collect screenshots
• Record interview responses
• Note observations with specifics (who, what, when, where)
• Preserve evidence trail

Audit Sampling: When full verification isn't practical, use sampling:

• Select representative samples
• Use random selection when possible
• Increase sample size for critical controls
• Document sampling methodology
• Extrapolate findings appropriately

Finding Classification:

Major Nonconformity:

• Absence of a required ISO 27001 process or control
• Complete failure of a process to achieve its intended outcome
• Systemic breakdown (same issue across multiple areas)
• Non-implementation of a mandatory requirement
• Situation that would raise significant doubt about ISMS capability

Minor Nonconformity:

• Isolated failure to meet a requirement
• Incomplete implementation of a requirement
• Deviation from procedure that doesn't systematically affect outcomes
• Issues that could become major if not addressed

Observation (Opportunity for Improvement):

• Not a nonconformity but could lead to one
• Best practice suggestion
• Potential risk or inefficiency
• Recommendation for improvement

Positive Finding:

• Examples of excellent implementation
• Innovative approaches
• Practices worth sharing across organization

Documentation: For each finding, record:

• Finding number/ID
• Classification (major, minor, observation)
• ISO 27001 clause/control reference
• Description of the issue (what is wrong)
• Objective evidence (specific examples with details)
• Impact or risk
• Recommendation (if observation)

Daily Audit Team Meetings:

• Review findings collected
• Discuss evidence quality
• Identify any scope adjustments needed
• Plan next day's activities
• Ensure consistency in evaluation

5.5 Closing Meeting

Timing: End of audit (same day or within 1-2 days)

Duration: 30-60 minutes

Attendees: Audit team, auditees, management representatives, preferably top management

Agenda:

1. Thank Participants:

   • Acknowledge cooperation
   • Thank for time and access provided

2. Restate Audit Scope:

   • Remind of audit scope and criteria
   • Confirm what was audited

3. Present Findings:

   • Summarize audit results
   • Present each major nonconformity with evidence
   • Present each minor nonconformity with evidence
   • Share observations and positive findings
   • Allow questions and clarifications

4. Discuss Next Steps:

   • Timeline for formal audit report
   • Process for corrective action response
   • Timeframes for corrective action (typically 30-90 days)
   • Follow-up audit approach

5. Q&A:

   • Address questions about findings
   • Clarify any misunderstandings
   • Note any disagreements for investigation

6. Closing Remarks:

   • Thank participants again
   • Explain report distribution

Note: Findings presented in closing meeting are preliminary. Final findings will be in the written audit report.

Output: Closing meeting minutes

5.6 Audit Reporting

Timing: Within 5-10 business days of audit completion

Report Contents:

1. Executive Summary:

   • Overall audit conclusion (ISMS conformant or not)
   • Summary of major and minor findings
   • Areas of good practice

2. Audit Details:

   • Audit date(s)
   • Audit team
   • Scope and objectives
   • Audit criteria
   • Locations and processes audited

3. Findings:

   • For each major nonconformity:
     • Finding number
     • ISO clause/control reference
     • Description of nonconformity
     • Objective evidence
     • Requirement not met
   • For each minor nonconformity (same structure)
   • Observations and opportunities for improvement
   • Positive findings and commendations

4. Conclusion:

   • Overall assessment of audited area
   • Trends or systemic issues noted
   • Progress since previous audit

5. Distribution:

   • Process owners (auditees)
   • Top management
   • Information Security Manager
   • Quality/Compliance Manager
   • Audit program file

Report Approval:

• Lead auditor reviews and approves report
• Audit program manager may review for consistency

Output: Formal Audit Report

5.7 Corrective Action

Timing: Within 30-90 days of audit report (depending on finding severity)

Process:

1. Auditee Develops Corrective Action Plan:

   • Root cause analysis (identify why nonconformity occurred)
   • Immediate correction (fix the specific issue found)
   • Corrective action (prevent recurrence)
   • Implementation timeline
   • Person responsible
   • Evidence that will demonstrate completion

2. Submit Plan for Review:

   • Auditee submits plan to lead auditor or audit program manager
   • Reviewer assesses adequacy of proposed actions
   • Feedback provided if plan insufficient
   • Plan approved when adequate

3. Implement Corrective Action:

   • Auditee implements corrections and corrective actions
   • Updates procedures if needed
   • Trains affected personnel
   • Collects evidence of implementation

4. Submit Evidence:

   • Auditee submits evidence to auditor
   • Evidence examples:
     • Updated procedures
     • Training records
     • Screenshots showing corrections
     • Logs demonstrating control operation
     • Sample records showing compliance

Tracking:

• Maintain corrective action tracking log
• Monitor status (open, in progress, pending verification, closed)
• Send reminders for overdue actions
• Escalate persistent delays to management

5.8 Follow-Up and Verification

Timing: After corrective action evidence submitted

Methods:

Desktop Review:

• Review submitted evidence
• Assess if evidence demonstrates correction
• Verify root cause addressed
• Suitable for minor findings with clear evidence

Follow-Up Audit:

• Conduct on-site verification
• Re-interview personnel
• Re-check records and systems
• Required for major nonconformities
• Recommended for recurring issues

Verification Decision:

• Effective: Corrective action successfully addresses finding, nonconformity closed
• Partially Effective: Some improvement but issue not fully resolved, remains open
• Ineffective: Corrective action did not resolve issue, new approach required

Documentation:

• Record verification date and method
• Document verification results
• Update finding status
• Notify auditee and management of closure or continued open status

Output: Updated audit tracking log, verification records

5.9 Program Monitoring and Reporting

Quarterly:

• Audit program manager reviews audit completion vs. plan
• Analyzes finding trends across audits
• Monitors corrective action closure rates
• Reports status to top management

Annually:

• Comprehensive review of audit program effectiveness
• Report total audits conducted
• Summary of findings by clause/control
• Trends and patterns
• Program improvements identified
• Input to management review

6. Records and Documentation

Records to Retain:

• Annual audit program and schedule
• Individual audit plans
• Audit checklists (completed)
• Opening and closing meeting minutes
• Audit reports
• Corrective action plans
• Corrective action evidence
• Verification records
• Audit tracking logs
• Auditor competence records

Retention Period: Minimum 3 years or as required by legal/regulatory requirements

7. Auditor Competence and Independence

Competence Requirements

• Completed ISO 27001 internal auditor training (minimum 16 hours)
• Understanding of ISO 27001 requirements
• Knowledge of audit techniques
• Understanding of information security principles
• Awareness of organization's ISMS context and processes

Independence Requirements

• Auditors must NOT audit their own work
• Auditors should NOT audit processes for which they are responsible
• Rotation of auditors recommended to maintain fresh perspective
• Declaration of independence signed before each audit

Competence Records

• Training certificates
• Audit participation history
• Continuing professional development

8. Escalation

When to Escalate:

• Major nonconformities discovered
• Systemic issues across multiple areas
• Auditee refuses to cooperate with audit
• Corrective actions significantly overdue
• Audit reveals critical security vulnerability

Escalation Path:

• Lead Auditor → Audit Program Manager → Information Security Manager → Top Management

9. Integration with Management Review

Audit program results are a required input to management review (Clause 9.3), including:

• Audit completion status
• Summary of findings
• Corrective action status
• Trends and patterns
• Areas of concern
• Program effectiveness

10. Continuous Improvement

After Each Audit:

• Gather auditor feedback on process effectiveness
• Collect auditee feedback on audit experience
• Identify process improvements

Annually:

• Review audit procedure effectiveness
• Update checklists and templates
• Incorporate lessons learned
• Update based on ISO 27001 changes or organizational needs

Related Documents:

• Internal Audit Program
• Audit Checklist Template
• Audit Report Template
• Corrective Action Form

Next Lesson: We'll provide comprehensive Audit Checklists for each ISO 27001 clause and Annex A control area.