Critical Success Factors & an effective ISMS – Internal Auditing is a mandatory clause within the ISO 27001 standard. Thorough Internal Auditing is imperative in maintaining an effective Information Security Management System [ISMS], and gives confidence to your External Auditor – so they don’t have to look as deep.
Plan your audit scope to ensure coverage of all key areas of the ISMS, and all sections of the standard on a minimum of an annual basis – especially the mandatory clauses, such as risk assessment and management review.
These are some of the critical success factors in ensuring that your Internal Audits are appropriate for the requirements of ISO 27001, and help drive continual improvement.
Firstly,
don’t just audit against the 133 controls of the standard, instead think of the bigger picture – is the ISMS really improving the organisation’s security? For example, you might:
- • Use the risk assessment as a fundamental input into your audit activities – checking identified risks are being mitigated with appropriate controls, and are countermeasures proving to be effective?
- • Check that the ISMS is meeting relevant legislation, regulation, and third party contractual security requirements?
Secondly,
ensure competence and objectivity of your Internal Auditors. Ideally, they will have some expertise in information security, and be able to translate this into the requirements of ISO 27001, and how you have translated this into your ISMS.
If you do not have the appropriate internal resource available, you may want to consider having an external party, such as ECSC, conduct your Internal Audits.
Thirdly,
ensure that weaknesses, and required corrective actions, identified at previous audits are being addressed and improvements made as a result. Reoccurring weaknesses found during audits indicate poor ISMS management – and this is something that the External Auditor will notice.
ISO 27007 has been developed to provide additional guidance on effective Internal Auditing of ISMS.
Click here http://www.ecsc.co.uk/pdf/ECSC_ISO27007Briefing.pdf for a ISO 27007 briefing to learn more about this latest release in the growing family of ISO 27000 standards and guidance.