ISO 27001 Internal Audit. Part of running an effective ISO 27001 Information Security Management System (ISMS) is to run an effective internal audit programme. The purpose of the audit programme is make sure, that the ISMS conforms to your own requirements as well as the requirements of the standard and to check that it is working effectively. If you have a good audit programme, you should get lots of improvements. If you don’t get lots of improvement, you should review your audit programme.
The ingredients you need to run an effective audit programme, is an audit plan, really good auditors and a process, that ensures non-conformities or observations get acted upon.
You need “business consultants”
Really good auditors are trained in auditing and can ensure objectivity and are impartial to the area being audited. The auditors you chose, also need to have certain traits (see list of auditor traits), and you certainly need people, who understand how to look at a process and be able to add value.
I always like to think of auditors as “business consultants”. In large organisations this is fairly simple to set up as they typically have the resources and you can find auditors, who are completely independent of the process they are auditing.
In small and medium sized organisations this can be tricky, both in terms of finding the resources, as well as in terms of finding auditors, who are independent.
Outsource Internal Audit
Many organisations therefore chose to outsource the audit function to an external consultant, allowing employees to focus on the core business and leaving the auditing to an expert. By outsourcing you also get the added benefit of having a complete fresh set of eyes doing the auditing.
Preparation is key
Once the auditors have been selected, they will need to prepare by reviewing relevant documentation and perhaps produce checklists. They might conduct opening and closing meetings and they need to document the audit as well as any non-conformity reports (NCR). The audit findings may be non-conformities and observations or ‘Opportunities for Improvement’ and ‘Areas of Good Practice’.
Having a great audit programme as well as having great auditors is paramount to the value you will get out of your ISMS. If implemented effectively you should see many business, process and information security improvements as a result.
If you have a need for either outsourced audit service or training of employees as internal auditors then contact JSC Consultant.
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So if you are considering ISO 27001 call us now (+44 7966 79 6789) to discuss how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.