Search results

Support re. internal audit section of ISO 27001 2022

1 - Who exactly needs to be audited

You need to audit the persons who perform activities included in the ISMS scope (e.g., users, technical staff, and managers). The exact persons and how many of them you need to audit will depend on the size and complexity of the process.

2 - Who can do the auditing? For example, could I conduct the audit despite being the project manager? Does it need to be someone that is independent from the process of implementation?

The main rules of internal audit are that no one can audit his own work and that the internal auditor needs to have competence related to the ISO 27001 standard and audit techniques.

Considering that, the project manager cannot perform an internal audit, and you should look for a person with proper competencies and who is not involved in the audited process, to perform the audit.

For further information, see:

• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

This course will provide required knowledge for the audit job.

3 - Are we auditing our implementation in line with the checklist that's been provided with the toolkit (11.3 Internal Audit Checklist)?

Your understanding is correct. The checklist provided with the toolkit covers all clauses of the main sections (4 to 10), and all controls from Annex A, but please note that you can add more questions in case you identify such a need.

4 - If we are using the Internal Audit Checklist to conduct our audit, there are 2 sections to this. Do we need to complete both sections?

No. Please note that section 1 covers ISO 27001, and section 2 covers ISO 22301, which is related to business continuity. If you are auditing only ISO 27001, then you need to use only the questions from section 1.

5 - I understand the Measurement Report (12.1) is part of the internal audit process, but I'm a little confused as to what actually needs to be measured here and how it relates to the audit. Is this more a documentation of security objectives we want to achieve?

Apologies for all the questions, but I'm not an expert in this so wanting to get a good understanding before we kick off.

Please note that the Measurement Report is an input for the Management Review step, and it summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results. It is not created by the internal auditor and is used by management to conclude how effective information security is in your company.

For further information about measurements, see:

• How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
• ISO 27001 control objectives - Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

This article will provide you with further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

• Support regarding ISO 27001:2022

  Your understanding of the sequence of implementation is correct.

  Please note that nonconformities can be identified either by the personnel performing the activities, during daily operations, as well as during internal audits (in fact, in a mature ISMS the majority of identified nonconformities came from operation personnel than from internal audit, because at this level the personnel has already understood the value of nonconformities).

  Regarding how long to operate the ISMS so as to have enough evidence to assess nonconformities, an operation period between 15 days and 1 month is a good starting point. Please note that security process cycles can vary (e.g., some processes are performed on a daily, weekly, or monthly basis).  

  For further information see:

  • Complete guide to corrective action vs. preventive action https://advisera.com/articles/complete-guide-to-corrective-action-vs-preventive-action/

• Queries related to old client

  I’m assuming you want to know how to handle old customers considering ISO 27001 certification and policies and procedures not implemented yet.

  Considering that, first is important to note that you need to follow all ISO 27001 implementation Steps: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  According to these steps, you need first to evaluate if these old customers have requirements (i.e., needs and expectations defined in contracts or agreements you have with them) that can impact or be impacted by the information you want to protect with your Information Security Management System (ISMS).

  In case such requirements exist, then you need to consider them in your implementation, by identifying information security risks related to these requirements and, for those risks deemed as relevant, develop and/or adjust policies and procedures accordingly.

  For example, if these customers have requirements for which compromise of availability of information protected by the ISMS can impact them, then you need to identify relevant related risks and develop or update a backup policy.

  In case there are no relevant requirements, these customers do not need to be considered in the ISMS.

  For further information, see:

  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
  • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Transition Online Course content

    First of all, thanks for the feedback.

    Your understanding of the update purpose is correct considering alignment with Annex SL and ISO/IEC 27002, but please note that in the course documentation ISO 9001 is mentioned as an example of alignment with other management systems, not as the unique alignment.

    “Overall, the changes in the main part of the standard, that is – in clauses 4 to 10 – are mainly about aligning ISO 27001 with other management standards like ISO 9001.”

  • Supplier questionnaire

    Please note that to identify the proper questions to send to suppliers you need to consult the results of your risk assessment and applicable legal requirements. Based on the relevant risks and laws, regulations, and contracts you need to comply with, you can define which are the proper questions to send.  

    For example, generally speaking, you could send all questions you listed, but in case you do not have relevant risks or legal requirements demanding a disaster recovery plan, then it is not relevant for you to ask the supplier about a disaster recovery plan.

    For further information, see:

    • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    Step one will provide information regarding risk assessment, while step two will provide information regarding legal requirements.

  • Conformio documentation

    1 - Clause 7.4 – Communication ( how to evidence the communications plan).  Where do I find this information on the system?

    Answer: Communication is an activity that is performed by many processes in information security, with different purposes, so in general, for medium and small businesses there is no point in creating a centralized communication plan, because it would be to complex to use and maintain by people responsible for communication.

    For small and medium-sized organizations information related to communication, communication activities are defined in documents like:
    - Information Security Policy
    - Incident Management Procedure
    - Disaster Recovery Plan

    Each of these documents specify who needs to communicate what.

    Additionally, there is some communication that is performed outside of Conformio – e.g., through emails, Slack, verbal, etc. 

    2 - Clause 8.1 - Operational planning and control (To see the ISMS Calendar/Planner). Where do I find this information on the system? 

    Answer: The ISMS scheduled activities (i.e., action, responsible, and frequency) related to implementation and control of information security processes (e.g., risk assessment, monitoring and measurement of controle and security objectives, internal audit, etc.), as well as of those activities related to management of necessary documentation (e.g., policies and procedures) can be found in the Responsibility Matrix. This matrix is developed based on the activities defined in each approved document (i.e., when a document is approved the activities defined on them are included in the responsibility matrix). 

    3 - Clause 9.1 - Monitoring, measurement, analysis and evaluation (To see the measurement & Metrics and measurement results).  Where do I find this information on the system?

    Answer: You define required metrics and measurements in the “Setting up Management review” step. Achieved results can be found in the “Reporting dashboard” and in the “First Official Management Review” step.

    4 - Clause 10.2 - Continual improvement (To see ISMS continual improvement log).   Where do I find this information on the system?

    Answer: The information about continual improvement can be found as corrective actions defined in the Nonconformity module.

    5 - A.18.2.2 – Report of information security compliance monitoring from various Managers/Heads of Heads or plan of action. How do I capture or evidence this in the system?

    Answer: First is important to note that the specific requirements to report compliance need to be identified through the “Register of requirements module”. This module will identify which laws, regulations and contracts you need to comply to, and by reading these requirements you will identify how to evidence compliance (e.g., by releasing a report, by performing an audit/management review, etc.)

    Considering that, some examples of elements that can provide evidence of compliance are audit reports (through the Internal Audit Module), management review minutes (through Management Review Module), and the Dashboards in the Reporting Module.

    6 - and Finally, How to use Conformio to test the effectiveness of the ISMS in the organization?

    Answer: To find out if ISMS is effective, you need to perform two activities:

    1) Internal audit - in Conformio you have a separate step for that purpose that takes you to the Internal audit module. 

    2) Measure if the ISMS is fulfilling the objectives - in Conformio you can find this in dashboards in the Report module.

  • CRM Document Management

    Your approach for embedding document management into your CRM will be acceptable by the auditor provided you comply with the standard’s requirements (clause 7.5):

    • How, and by whom, documents are approved?
    • Who needs to access the documents and how do they do that
    • How documents are protected
    • How documents are changed
    • For how long documents are kept and how they are disposed of when do not need anymore

    Please note that if it is not possible to use the CRM to comply with all requirements you can still use a combination of CRM and Conformio to achieve compliance.

    For further information, see:

    • How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

  • ISO/IEC 27001 Audit

    In fact, such a situation is unusual, but not a sufficient reason for a problem. The auditor will probably make additional checking, considering:

    • which conditions you have defined that require opening a non-conformity. For example, in some situations, one or two minor events related to the system may happen, and the system performance still is at acceptable levels, so raising a nonconformity is not required.
    • reports on the performance of implemented controls, to check if they were working properly considering the period audited.  

    Based on the evidence found related to systems performance conditions and reports about controls performance, the auditor may conclude that in fact, the system is reliable enough and that the lack of incidents and non-conformities (or the low number of incidents and lack of non-conformities) is justifiable.  

    For further information, see:

    • Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

  • Approved Certification bodies

    Thanks for your response Rhand, this helps.