To get an ISO 27001 certificate, a company must do internal audits. ISO 27001 Clause 9.2 says you have to do these audits on a regular basis. The goal is to make sure your information security system is working as it should. The audit is a check to see that your system follows your own rules and the rules of the ISO 27001 standard.
Why Do an Internal Audit?
The purpose of an internal audit is to prove that your security system works well. This check helps you find and fix problems before they get bigger. It also helps you get ready for a main audit.
What is ISO 27001 Clause 9.2 Internal Audit?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Internal Audit”.
What is the ISO 27001 Clause 9.2 control objective?
The formal definition and control objective in the standard is:
ISO 27001:2022 Clause 9.2.1 General – New clause
The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms to
1) the organisation’s own requirements for its information security management system;
2) the requirements of this document;
b) is effectively implemented and maintained.
ISO 27001:2022 Clause 9.2.2 Internal Audit Programme – New clause
The organisation shall plan, establish, implement and maintain an audit programme(s), including the
frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.
The organisation shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management
Documented information shall be available as evidence of the implementation of the audit programme and the audit results.
What is the purpose of ISO 27001 Clause 9.2?
The purpose of ISO 27001 Clause 9.2 is “To ensure that you have independently checked and verified that the information security management system (ISMS) is operating effectively and meeting its intended outcomes.“
Is ISO 27001 Clause 9.2 Mandatory?
ISO 27001 Clause 10.2 (Internal Audit in the 2022 standard) is a mandatory clause in the main body of the standard.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
- Plan the Audit: First, make a plan for the whole year. This plan should look at the most important risks. Things with higher risks should be checked more often.
- Pick the Auditors: The person who does the audit should be good at their job. They also should not check their own work. The auditor should be a different person than the one who set up the security rule.
- Conduct the Audit: The auditor will look at documents and records. They may also talk to staff. They will look for proof that the rules are being followed.
- Report the Findings: The auditor will write a report. This report will point out any problems they found. It should not blame anyone.
- Fix Problems: If a problem is found, you must fix it. You must also have a plan to make sure it doesn’t happen again.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- Check your audit plan to see if it’s being followed.
- Check the findings of your internal audits.
- Make sure the person doing the audit is qualified.
