Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends February 29, 2024
Use promo code:
EXAM20

Expert Advice Community

Guest

Support re. internal audit section of ISO 27001 2022

  Quote
Guest
Guest user Created:   Feb 11, 2023 Last commented:   Feb 11, 2023

Support re. internal audit section of ISO 27001 2022

We're currently kicking off the process of becoming ISO accredited. Having looked through the documentation, the section that i'm having difficulty understanding is the internal auditing requirements.

- Who exactly needs to be audited
- Who can do the auditing? For example, could I conduct the audit despite being the project manager? Does it need to be someone that is independent from the process of implementation?
- Are we auditing our implementation in line with the checklist that's been provided with the toolkit (11.3 Internal Audit Checklist)?
- If we are using the Internal Audit Checklist to conduct our audit, there are 2 sections to this. Do we need to complete both sections?
- I understand the Measurement Report (12.1) is part of the internal audit process, but I'm a little confused as to what actually needs to be measured here and how it relates to the audit. Is this more a documentation of security objectives we want to achieve?

Apologies for all the questions, but I'm not an expert in this so wanting to get a good understanding before we kick off.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 11, 2023

1 - Who exactly needs to be audited

You need to audit the persons who perform activities included in the ISMS scope (e.g., users, technical staff, and managers). The exact persons and how many of them you need to audit will depend on the size and complexity of the process.

2 - Who can do the auditing? For example, could I conduct the audit despite being the project manager? Does it need to be someone that is independent from the process of implementation?

The main rules of internal audit are that no one can audit his own work and that the internal auditor needs to have competence related to the ISO 27001 standard and audit techniques.

Considering that, the project manager cannot perform an internal audit, and you should look for a person with proper competencies and who is not involved in the audited process, to perform the audit.

For further information, see:

This course will provide required knowledge for the audit job.

3 - Are we auditing our implementation in line with the checklist that's been provided with the toolkit (11.3 Internal Audit Checklist)?

Your understanding is correct. The checklist provided with the toolkit covers all clauses of the main sections (4 to 10), and all controls from Annex A, but please note that you can add more questions in case you identify such a need.

4 - If we are using the Internal Audit Checklist to conduct our audit, there are 2 sections to this. Do we need to complete both sections?

No. Please note that section 1 covers ISO 27001, and section 2 covers ISO 22301, which is related to business continuity. If you are auditing only ISO 27001, then you need to use only the questions from section 1.

5 - I understand the Measurement Report (12.1) is part of the internal audit process, but I'm a little confused as to what actually needs to be measured here and how it relates to the audit. Is this more a documentation of security objectives we want to achieve?

Apologies for all the questions, but I'm not an expert in this so wanting to get a good understanding before we kick off.

Please note that the Measurement Report is an input for the Management Review step, and it summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results. It is not created by the internal auditor and is used by management to conclude how effective information security is in your company.

For further information about measurements, see:

This article will provide you with further explanation about internal audit:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 11, 2023

Feb 11, 2023