ISO 27001 Internal Audits – PDFs, and Some Advice from an ISO Consultant
There’s plenty on the web about ISO 27001 Internal Audits. I occasionally get the impression that people think a free ISO 27001 PDF download will cover everything, rather like a cake recipe. There are lots of free documents on the internet.
Actually, we’ve created our own free “ISO 27001 PDF download”, It shows that ISO 27001 certification is far more than a tick box template exercise.
Meanwhile we DO offer our own professionally-produced ISO 27001 PDF download templates, We have our own shop page here. And we’ve blogged in more detail about it here. We offer a full suite of documents supported by one-to-one experienced help. This is much more than a free tick sheet from the internet.
And there’s the significant issue of a copy of the ISO standard document itself. If you are going to try completing internal audits to ISO 27001, buy a copy of the actual standard document here. It may be expensive, but really auditing to its requirements without having a copy is a major problem. Why?
We can divide internal auditing to ISO 27001 into two key areas –
The Main Standard
ISO 27001 is a Management System Standard, like ISO 9001 and 14001 etc. It’s built on the same foundation as 9001. At its core has many of the same requirements. A classic Venn Diagram would show significant overlap between ISO 9001, ISO 14001, and ISO 27001.
Now, in my experience, the certification bodies don’t seem to be so bothered about internal audits of these main “foundation” sections of the standard at the moment. However, should UKAS decide to have a little word with them, their priorities would suddenly have to change. So, I’d look at process audits and audits of the main clauses anyway.
This will safeguard against an over-zealous external auditor raising “non-compliance” issues. Then redesigning your system on your behalf, “right there in front of you”, and on his terms. He won’t know how your business works, but he’ll have the power to make your life difficult…
“Annex A” and The Statement of Applicability
Secondly, buy a copy of the standard and you will get a copy of “Annex A”. This is vitally important for ISO 27001 Internal Audits, as it’s where all the “techie stuff” is hidden. This needs to be used in conjunction with your Statement of Applicability.
(“Our what?” – As part your approval you will have compiled a “Statement of Applicability”. You can’t get certification without one, so it must exist somewhere in your files)
This “statement” determines which of the Annex A controls you have implemented, where and why. For example, control A.9.1.1 is “Access Control Policy”. This asks whether you have controls over who can access your data. Examples are, “do you need a log on and password” – or can anybody waltz into your business approach a terminal and get access to your customer and financial records ?
A Hot Topic – Security.
If this all sounds a bit obscure, please be aware that this is the area that certification bodies are currently focusing on. Their aim is simple; they want to see that you have a structured, regular scheme for auditing compliance against the controls in “Annex A”. That is, confirming that what is said in the “statement of applicability” affects your normal business life. And that it’s actually being done. This is precisely what you are aiming for in conducting ISO 27001 Internal Audits. Quite simply, a bespoke, logical system that safeguards your business. This is way beyond an ISO 27001 PDF download template of vague intentions…
Annex A has over 130 controls, so some form of table or matrix is the best way of planning their audit, and making sure that they all get covered in a defined time frame. Your friendly ISO Consultant can help!
We Can Help
If you’d like some pragmatic assistance in making sure this gets completed in a timely and cost effective manner why don’t you give us a ring and we can help you with the whole process, including producing checklists designed around your business so that even your less-experienced internal auditors can complete highly-effective ISO 27001 Internal Audits.