Pages

Subscribe:

Ads 468x60px

.

Thursday, 7 January 2016

How to Prepare Any Organization for ISO 27001 Internal Audit

If anyone is planning for ISO 27001 internal audit very first time, they are probably in puzzled by the complexity of the standard and what they should check out during the whole audit process. In actual there is no universal checklist that could fit any company needs perfectly, because every company is very different but the good thing is one can develop such a customized checklist easily.

Steps for ISO 27001 Audit:
  • Document review:  In this step one has to read all the documentation of Information Security Management System or Business Continuity Management System in order to: (1) become acquainted with the processes in the ISMS, and (2) to find out if there are nonconformities in the documentation with regard to ISO 27001 or ISO 22301.
  • Creating the ISO 27001 checklist: Basically, make an ISO 27001 Audit Checklist in parallel to Document review to read about the specific requirements written in the documentation including policies, procedures & plans, and write them down so that one can check them during the main audit. For instance, if the Backup policy requires the backup to be made every 6 hours, then it is noted this in checklist, to remember later on to check if this was really done.
  • Planning the main audit: Since there will be many things need to check out, one should plan which departments and/or locations to visit and when checklist will give an idea on where to focus the most.
  • Performing the main audit: The main audit, as opposed to document review, is very practical to walk around the company and talk to employees, check the computers and other equipment, observe physical security, etc. A checklist is crucial in this process - if someone has nothing to rely on than they will forget to check many important things;
  • Reporting: Once Organization finish ISO 27001 Audit, they have to summarize all the nonconformities that founded in main process, and write an internal audit report - of course, without the checklist and the detailed notes that won't be able to write a precise report. Based on this report, someone else will have to open corrective actions according to the Corrective action procedure.
  • Follow-up: In most cases, the internal auditor will be the one to check whether all the corrective actions raised during the internal audit. Checklist and notes can be very useful here to remind the reasons why to raise nonconformity in the first place. Only after the nonconformities are closed is the internal auditor's job finished.

2 comments:

Post a Comment