Here we will refer to ISMS requirements text from the ISO 27001 Standard – Chapter 9.2:
The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms to
the organisation’s own requirements for its Information Security Management System.
the requirements of this international standard.
b) is effectively implemented and maintained.
The organisation shall:
c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit programme(s) and the audit results.
Our Compleye vision is to develop a real-time audit feature in Compleye Online, that will cover 80% of the internal audit online, in real-time and automated. Over the past years we have developed an approach that works during external audits – and is working towards our vision of real-time audit. We expect this feature to be ready in Q3-Q4 of 2023.
The audit template we use – with criteria – refers to the evidence we can find in the Compleye Online Platform, and will be improved on a monthly basis. So – until the real-time audit feature is ready, please reach out to us for the latest templates.
In the meantime there are 2 options:
- DIY – Use our Internal Audit Procedure Template (focused on the process and documenting every step to be compliant with the ISO 27001 requirements). Make sure you can assign a team member (not in an ISMS role) to this job for objectivity.
- You can make use of the Compleye Services for this task – by assigning an external internal auditor with experience and knowledge, you can use this as a good preparation for external audit.
This section consists of 2 steps.
Step 1: Perform the Internal Audit
Step 2: Process your findings in Internal Audit section.
Step 1 – Perform the Internal Audit
- Plan to start with performing the Internal Audit 2 to 3 months before scheduled External Audit, because it will be time consuming the the first time you do it and you will need to audit every aspect of the ISO 27001 Standard.
- Please first read the Internal Audit Process to understand what needs to be done – the manual process can take up to a few days of work.
- Use the Internal Audit Template to record the findings.
- All findings – from Internal Auditor – will need to be addressed by the ISMS Team, so make sure the right people (including Management/C-level) are part of this process. That’s why we embedded the investigation step into the process – if we can’t find the evidence, you can provide it during a session. The final internal audit report will have findings that you’ll need to turn into new improvements – the same process as is followed in Assessments.
- The standard requires that you have an Audit Plan for the entire period of Certification (3 years). Therefore, before the external audit you will need to audit every part of the ISO 27001 norm and you can spread the norm requirements over the following years. In the Compleye vision of real-time audit, we believe that you will need to have an overview of (as much as possible) requirements that you can track automatically. This means that you can perform an internal audit on a yearly basis on all requirements. An even better preparation for external audit.
- The main difference between assessment and audit is that the purpose of an assessment is to get a snapshot of the current reality of your organisation, while the purpose of an audit is more pointed and focused on compliance. An audit also measures the current reality, but it then compares it against a specific standard. This will illuminate specific gaps that should be corrected.
Step 2 – Process your findings in the Compleye Online system.
Now that the actual work has been done, it’s time to assess the findings and create actual improvements for them. This is the final step and can be performed by your compliance officer.
You can simply click on the “Create New Internal Audit” button at the bottom left of the page.
It will open a new window where you can upload the Internal Audit document. This document can’t be deleted, but only downloaded once it’s attached. The Internal Audit card will be named by the date it’s uploaded. If needed, you can upload multiple documents; make sure you upload the main document first.
After creating the Internal Audit Card you can add the findings (copy them from your main document). You can also add other relevant documents in the ‘Attachments’ tab, if needed (not mandatory).
- When a finding is added and saved, you will automatically have the option to create an improvement (in blue).
NOTE: if you don’t create an improvement, you’ll need to justify the reason to the external auditor. Perhaps you have already solved the improvement – and added the evidence in ‘Attachments’. If so, please make sure that you have addressed that in the finding (eg: by adding, ‘Already solved by .’ ….’ evidence can be found in attachment.’) We strongly advise creating an improvement for each finding. Improvements will become part of the Management Review and show that you’re able to improve and mature your ISMS.
When you create an improvement, a new pop-up screen will appear.
- The finding is already filled in, with the tag Internal Audit, to identify where this improvement came from.
- You’ll need to assign an owner who will be responsible for the improvement.
- Due Date: estimated date for first expected results.
- Now, the owner will need to work on the improvement. Please make sure that the owner has access to the board and has added an email address in the section to ensure that they receive notifications on improvement deadlines.
Make sure that the owner reads the wiki on the improvement and starts working on the improvement.
The compliance officer will check all improvements’ progress during the monthly security meeting.
- Once the improvement is closed it will be indicated as a green check-box tick in the tab along with the date and the person that closed the improvement. So, before you start a new Internal Audit, check if the findings of your previous Internal Audit have been addressed in closed improvements.
|Define a name for the Improvement – this is not the finding, but eg, the name of a project/plan that is easily recognisable to the ISMS Team
|If the finding is “No Security Incidents Reporting Procedure” the title can be “Set up a security incidents reporting procedure”
|Person responsible for the improvement
|One of your ISMS Team members
|Findings of the information security risk assessment. ‘Column G in ISRA Template – Risk Assessment tab’. ==> this will automatically be filled in the pop-up menu once defined in the section.
|“No Security Incidents Reporting Procedure”
|Always start with a due date when you want to have your first Improvement milestone ready eg, when the project plan, proposal or first step needs to be finalised. To be used as a reminder (owner can receive notification 3 days prior to the due date).
|Select the date
|The Risk Assessment where the finding originated. In this case this will be filled in automatically, because this is the ISRA Section.