Guest user Created: Jun 27, 2019 Last commented: Jun 27, 2019

Internal audit planning

My company asked me to be our internal auditor and sent me to your site for training. They're creating an ISMS and hope to have their 1st external audit in September. One of the criteria for the External Audit is for the company to have had a Full System Internal Audit completed. I have finished viewing your ISO 27001 Internal Auditor training videos and I'm currently studying before I take your certification exam. The internal auditor training indicates that the companies ISMS documents need to be reviewed prior to developing the audit plan. My CISO advises me that not all of our company ISMS documents are ready for the Full System Audit but I'm expected to deliver an audit plan based on only the SOA and scope. I'm a little confused.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 27, 2019

1. Shouldn't I review all the companies ISMS documents prior to creating the audit plan or is this not necessary for a Full System ISMS Internal Audit? The company advises me that there will be approximately 160 documents which they're expecting me to review during the scheduled audit where they've estimate d to take 5 days based on other audits they've had in the past. My understanding from the training is that I should review all their documents 1st, then develop the audit plan although it's not an ISMS mandatory document by the standard.

Answer: First it is important to note that ISO 27001 does not prescribe the steps for performing internal audit, only that it must be performed periodically, expected inputs and outputs. Considering that, the review of ISMS documents is not mandatory.

The review of ISMS documents prior to developing the internal audit plan is useful for you to identify situations specific to your organization that you should look for (e.g., the name of a record, the periodicity of a task, etc.), but not being able to review all documents should not be an impediment for you to plan your internal audit. In this case you should focus on documented information required by the main clauses from the standard (from sections 4 to 10), and on documents and methods of implementation defined for controls from Annex A stated as applicable in your Statement of Applicability (SoA), and make an observation that some specifics of your organization may not be properly audited, and that there is a risk that nonconformities related to them may be found during the certification audit (this is a risk that your management has to accept if you do not have time to review all documents).

Examples of minimal documents you must include in your review are the ISMS scope, ISMS policy, risk assessment and treatment report.

This article will provide you further explanation mandatory documents for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

One additional thing we should mention is that 160 documents for an ISMS is a very uncommon quantity for a set of documents (for small and medium sized companies the set of documents would be no more than 40 to 50), then maybe you have space for an improvement related to decrease the quantity of documents.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 26, 2019

Expert Advice Community