Understanding and Enhancing the Values of ISO/IEC 27001 Internal Audit
Published 11/13/2023
Originally published by CAS Assurance.
What is the ISO 27001 Internal Audit?
Generally, internal audit is defined as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization achieve its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” (The Institute of Internal Auditors). Borrowing from this general definition of internal audit, we can define the ISO 27001 internal audit as the mandatory independent and objective activity for evaluating and improving the effectiveness of an organization’s Information Security Management System (ISMS) to achieve its objectives.
Internal audit is required by the ISO standard to assist an organization to ensure that the objectives of its ISMS are being achieved, and the requirements of the ISO 27001 standard are complied with.
Why is the ISO 27001 Internal Audit so important?
You possibly have come across a statement like the following in an auditor’s report before, “because of inherent limitations, internal control may not prevent, or detect and correct misstatements and projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or the degree of compliance with the policies or procedures may deteriorate.”
The establishment and implementation of an organization ISMS is usually influenced by its needs, objectives, risks, processes, people, technology, security requirements, structures and size of the organization. Everything on the list of those influencers of ISMS is subject to change over time. As a result of the inevitable changes, the policies, procedures, and security controls designed and implemented to achieve the objectives of the ISMS and to ensure compliance with the requirements of the ISO standard may become inadequate over time. Further, compliance with those policies, procedures, and controls may deteriorate over time because of human errors or deliberate violations.
So much is usually expended (money and efforts) on establishing, implementing, and maintaining an organization’s ISMS. Of what value is an ISMS that fails to achieve its objectives? The ISO 27001 internal audit is therefore critical to ensuring that changes, weaknesses, control gaps, and violations (non-conformities) that could frustrate the achievement of the ISMS objectives are quickly identified and addressed. It also helps the organization to identify opportunities for improving the overall ISMS for better results. Those are the primary goals of the ISO 27001 internal audit. The other important goal (very important) is that it is required for an organization to obtain and maintain its ISO 27001 certification.
Failure to perform the ISO 27001 internal audit as required could cost the organization much more than it would have cost to conduct the audit. Potential consequences include, but are not limited to:
- Increased risks to the ISMS – Without periodic internal audit, security weaknesses, violations, and control gaps resulting from changes in process, people, structures or technologies may not be identified and addressed. This increases the likelihood of data breaches.
- Forfeiture of certification – Failure to perform internal audit as required by the standard will more than likely result in one or more major non-conformities. A single major non-conformity will prevent an organization from obtaining or maintaining the ISO 27001 certification.
- Legal, regulatory, and contractual concerns – The loss of certification, increased risks and possible security breaches will potentially have expensive consequences.
- Weakened customer trust – The lack or loss of an important certification such as ISO 27001 when customers expect the organization to have the certification will weaken their confidence in the ability of the organization to protect their information, creating a competitive disadvantage for the entity.
- Loss of return on investment – Failure of the ISMS to achieve its objectives, leading to some or all the aforementioned consequences, is a loss of the benefits expected from investing so much money and efforts to implement the ISMS.
When should an organization perform ISO 27001 Internal Audit?
Clause 9.2.1 of the ISO/IEC 27001 standard requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS:
- Conforms to: (i) the organization’s own requirements for its ISMS, (ii) the requirements of the standard
- Is effectively implemented and maintained
Generally, the standard gives an organization the flexibility to determine the intervals at which internal audit of its ISMS is conducted. Each organization must determine those intervals to match its needs and circumstances. In making such a determination, an organization would need to consider factors such as:
- The size and complexities of the organization
- Regulatory, legal, and contractual requirements
- Rate of changes in its processes, structure, people, or technology
- Results of its risk assessments and previous audits
The ISO 27001 certification is valid for three years, and it requires that surveillance audits be performed by the external auditor in the two years between certification/re-certification audits. And since internal audit is a mandatory requirement to ensure and prove continued conformity to requirements, it would naturally be reasonable to perform an internal audit of the ISMS at least once a year.
Who should perform ISO 27001 Internal Audit?
There are some basic principles that are central to the practice of auditing in general. Those principles, among others, include competence, integrity, and independence of the auditor. In most cases, internal audits are conducted by the organization’s personnel. This will be the case when the organization has personnel with requisite general and ISO 27001 specific auditing competence. Where personnel with required competence are not available internally, organizations often outsource the internal audit function to external auditors with the required competence and independence.
In all cases, it is important for the auditor to be independent of the ISMS activities or functions being audited. Independence of the auditor is required to facilitate objectivity and absence of bias in judgment, fairness in presentation and reporting.
Conclusion
Obtaining and maintaining ISO 27001 certification is a big plus to an organization in assuring and demonstrating commitment to safeguarding the confidentiality, integrity, and availability of its valuable information assets. Leveraging the important function of internal audit required by the ISO standard as a management tool to keep the ISMS on course and steer it towards achieving its objectives will provide invaluable benefits, including reduced risks, competitive advantage, better assurance for customers and other external stakeholders.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024