To get an ISO 27001 certificate, a company must do internal audits. ISO 27001 Clause 9.2 says you have to do these audits on a regular basis. The goal is to make sure your information security system is working as it should. The audit is a check to see that your system follows your own rules and the rules of the ISO 27001 standard.
Why Do an Internal Audit?
The purpose of an internal audit is to prove that your security system works well. This check helps you find and fix problems before they get bigger. It also helps you get ready for a main audit.
How to Do It
- Plan the Audit: First, make a plan for the whole year. This plan should look at the most important risks. Things with higher risks should be checked more often.
- Pick the Auditors: The person who does the audit should be good at their job. They also should not check their own work. The auditor should be a different person than the one who set up the security rule.
- Conduct the Audit: The auditor will look at documents and records. They may also talk to staff. They will look for proof that the rules are being followed.
- Report the Findings: The auditor will write a report. This report will point out any problems they found. It should not blame anyone.
- Fix Problems: If a problem is found, you must fix it. You must also have a plan to make sure it doesn’t happen again.
Frequently Asked Questions
Yes, you must have an audit plan. This plan should show when you did audits and when you will do them in the future.
An auditor will check your audit plan to see if it’s being followed. They will also check the findings of your internal audits. They want to make sure the person doing the audit is qualified.
The person who does the audit should not be in charge of the area being audited. This makes the check fair and honest.