Where a business has a new or an existing established information management system, internal audit is going to be part of the information security management systems.
The role of the third-party independent internal auditor in performing the internal audit for a business is to review the controls which are in line with the ISO27001 and compliance with such standard.
This will allow your business to see what is working but also identify any gaps or inconsistencies which could require updates.
If you look at this briefly at the internal audit summary and just park it with very little or no progress it is unlikely to show any improvements that your business made.
“No matter how much you prepare, have redundant systems, or audit, there will periodically be a black swan event that is completely unlike whatever you experienced before” - Matt Mullenweg.
The control 18.2.1 (section 9.2 of ISO) refers to the ‘Independent review of information security Control’ that your business takes in relation to the information security management system at regular intervals.
Audit Report to Improvement Log
The internal audit summary is provided to your business the first couple of pages may be difficult for the reader to map as to which controls apply to each of the item listed from the high-level summary. The audit summary is provided covering the areas which were part of the audit scope of controls 12.7.1 and 18.2.3 of the ISO27001 following the last audit with your business.
The next step from this to take each line item and include in the improvement log. By doing this the correct controls and the supporting background details can be added so that it is easy to understand why that specific control may require attention or remedial action. If this is done sooner to the time when the audit report is compiled, then it will make it easier to update whilst it’s fresh instead of doing this at a later date.
Ownership of Improvements
Whilst a business has several key operating areas and it can be difficult at times to find an owner. Equally once an owner can be assigned to each improvement action then that owner needs to understand exactly what is required of that individual. This may deal with a number of areas including risks or assets. A risk owner “is entirely responsible for managing threats whereas an asset owner is entirely responsible for the asset”, Luke Irwin of Security Boluvard.com. The key thing here is going to be that each of the improvements are seen as something which can be completed by the due date. There is nothing worse than open items not being completed by the time the next internal or external audit is due. If this does happen then lack of progress usually does not go down well with the auditor.
Closure of Improvements
Whilst a business has a number of key operating areas and it can be difficult for the key individuals at times to make ISO27001 improvements a priority and without disturbing revenue related day to day activities.
Sometimes it becomes a last-minute dash to get an internal audit item completed or if not extend the due date.
If planning the improvements can be achieved in advance before its due-date and reminders are sent to the key individuals, then any updates reviewed at the next management review meeting may speed things up when it comes to closure.
Put yourself in the shoes of the auditor, if a business presented you with an improvement log which had lots of unpopulated information and was only partially complete you would want to know why it was not complete. Staying on top of is crucial to getting items completed.
Improvement Log Updates for Internal Audit
Take some time to make sure that all items are listed in the improvement log following the internal audit are accurate and have the same reference number to the internal audit summary. This is help with any direct correlation on the day of the next internal audit.
If you inherit a partially populated update or need make a new entry in the improvement log, make sure that it is clear as to which details are required.
Not Sure What the Details are Around the Improvement?
If it is unclear as to what was discussed on the day of the internal audit relating to a specific area then you can go through your notes again, compare this with the audit report or maybe have a brief discussion with the auditor so that is clear. Where you are unclear as to what the control issue is then it becomes difficult to agree on the right remedial action. Once it is clear, the right outcome can be applied.
Get Some Expert Support
The auditor is going to be an expert in this area and, if you are on the other side from another discipline, it may be daunting for some. The ISO27001 standard is long and complex and there are a number of controls to deal with. Either you may turn to an internal certified expert or look for external support to get you through the audits and the ongoing work required.
Whether it is a new or an existing information security management system there are going to be a few internal audits throughout the year for your business needs to get used to these.
Making your organization aware including any senior stakeholders in advance of when the internal audit is happening and being organized will help you to manage the internal audit in a smoother fashion.
The internal audit considers a number of controls out of which certain areas that need to be addressed by the business in order to meet the standard and certification requirements. It is for the business to ensure that these are actioned to demonstrate compliance.Looking for ISO27001 Help?