Internal Audits to ISO 27001 (Information Security)

[S. Thompson]

Hi there,

We are currently going through our 2nd surveillance to 27001 (Information Security) The auditor is here at the moment with our Chief Informaiton Security Officer.

My collegue has within the last few minutes told me that the auditor will raise a non conformance against him as he has been perfoming internal audits. My collegue does not agree with this (as I don't) The auditor has citied that he can not be impartial as he works for the company and owns the system. (my collegue has just completed a full audit training programme)

He said it would be acceptable that I audit the 27001 system we have in place although my collegue argued that I would not have the specialised knowledge to do this. Failing this, then an external company.

I have been performing internal audits at the company for 15 years to 9001 and for 3 years to 14001 and have not had one non conformance re this previously.

I would appreciate your information on this please?

Many Thanks

[Marc]

The rule is you can not audit your own work. It is not that you can not audit the work of someone who works under/for you.

This is the reason for many discussions of "Who Audits the Auditor?"

[S. Thompson]

I understand this - that you cannot audit your own work - that is why another auditor audits areas of 9001 & 14001 that I am responsible for such as document control, internal audits etc. This auditor has said that because the Information Security Manager owns the IMS he cannot audit it. I class the management systems as being 'owned' by the company not one person.

Any comments greatly appreciated.

[Colin]

Perhaps the argument could be that the IMS manager doesn't own the IMS, the departmental managers own their bit and the IMS manager manages the system. The IMS manager is not responsible for purchasing for example but is responsible for ensuring that there are appropriate systems in place to provide control over the information used in the department.