Incorporating ISO clauses in an internal audit

To properly audit a policy considering ISO 27001 standard, it's only a matter of reading the standard and assess if the policy is compliant with its requirements (e.g., the standard requires a document to be reviewed and approved for suitability and adequacy, so in this case you should check if the policy was reviewed and approved).

In our free online course "ISO 27001:2013 Internal Auditor Course" (https://advisera.com/training/iso-27001-internal-auditor-course/) you can find examples of how consider ISO 27001 clauses on an internal audit.

These materials will also help you regarding internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

Hi There,

Suppose we are conducting an internal audit on seeing the effectiveness of secure development policy and general knowledge around IS policies within the organisation. Reviewing the secure dev policy and collecting evidence to see if the company is complaint with this shouldn't be hard as we will be interviewing developers and so on. My understanding is that iso consists of two main parts the clauses 4-10 and annex A. The secure dev policy is one of the controls in annex A. I haven't actually been provided with the standard itself but have been on a course. My scope for this audit is primarily development team and their general knowledge around the existing policies. What would be the best way to approach this audit? I am not sure how the clauses will be applicable and i'm not expected to check the overall effectiveness of the whole ISMS so do I need to go through everything?

Thanks

First thing is that if you have to verify compliance with ISO 27001 you need to have the standard with you. As best as a course can be, it cannot replace the letter of the standard during an audit.

Considering that, if your audit scope is primarily development team and their general knowledge around the existing policies, then you should focus on clauses 7.2 (competence) and 7.3 (awareness), to verify if the development team has the necessary knowledge, skills or experience to perform their activities and if they are aware about the importance of being compliant with the policies and controls and what is the impact of non compliance.

And even though you do not need to check the overall effectiveness of the whole ISMS, you have to check if the ISMS cycle has been completed in the development process, so you have to go through all clauses from sections 4 to 10, only focusing on the development process (e.g., you have to check the risk assessment of the development process, verify if the existent competence is capable to handle the risks identified as unacceptable, verify if the training activities performed were effective and verify the effectiveness of any non conformity or corrective action taken in the process).

This article will provide you further explanation about how approach a process in an audit:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

Although the article covers certification audit, the same concepts can be applied for internal audit.