Part of running an effective ISO 27001 Information Security Management System (ISMS) is to run an effective internal audit programme. The purpose of the audit programme is make sure, that the ISMS conforms to your own requirements as well as the requirements of the standard and to check that it is working effectively. If you have a good audit programme, you should get lots of improvements. If you don’t get lots of improvement, you should review your audit programme.

The ingredients, you need to run an effective audit programme, are an audit plan, really good auditors and a process, that ensures non-conformities or observations get acted upon.

Really good auditors are trained in auditing and can ensure objectivity and are impartial to the area being audited. The auditors you chose, also need to have certain traits (see list of auditor traits), and you certainly need people, who understand how to look at a process and be able to add value. I always like to think of auditors as “business consultants”.
In large organisations, this is fairly simple to set up as they typically have the resources and you can find auditors, who are completely independent of the process, they are auditing. In small/medium sized organisations, this can be tricky, both in terms of finding the resources as well as in terms of finding auditors, who are independent. Many organisations therefore chose to outsource the audit function to an external consultant allowing employees to focus on the core business. By outsourcing you also get the added benefit of having a complete fresh set of eyes doing the auditing.
Once the auditors have been selected, they will need to prepare by reviewing relevant documentation and perhaps produce checklists. They might conduct opening and closing meetings and they need to document the audit as well as any non-conformity reports (NCR). The audit findings may be non-conformities and observations – ‘Opportunities for Improvement’ or ‘Areas of Good Practice’.

Having a great audit programme as well as having great auditors is paramount to the value you will get out of your ISMS. If implemented effectively you should see many business, process and information security improvements as a result.

Contact us at info@jscconsultant.co.uk if you have a need for either outsourced audit service or training of employees as internal auditors.