ISO 27001:2005 ISMS Internal Audit Checklist/Questionnaire

A

ameerjani007

Dear all,

First i would like thank for all your efforts.

I am working for an IT company and we have recently gone for ISO 27001:2005 certification. Now I am in need of
'ISMS internal audit checklist/questionnaire'. Please help me in this.

Thank you
AJ:)
 

AndyN

Moved On
Please be aware that an internal audit of an ISMS should not be focused on the requirements of the ISO 27001 requirements. An ISMS is designed to meet the requirements of your specific organization and, the appendix A controls are there to be selected based upon the type and extent of control applicable to your organization.

Simply put, turning all of the standard into a checklist will not be much use to you!
 
A

ameerjani007

I totally second your thoughts AndyN, however out of 133control objectives i have removed 7 controls which are not applicable to our organization.

Now my question to you is we have decided to conduct four internal audits per annum. How do you suggest me to go, like all 126 (133 -7) controls auditing in one go or i can postpone couple of controls in next go.

The concern is I am doing this for the first time and i am the owner of internal audit. So please suggest accordingly...
 

AndyN

Moved On
Excellent questions! Firstly, the internal audit requirements of ISO 27001 are almost a 'cut and paste' from ISO 9001. Experience has shown that, typically, doing 4 audits a year doesn't meet the requirements - or the intent - of scheduling audits 'based on status and importance'.

In practical terms, it might mean that, if you schedule some controls to be audited in the last 4 months of a year, you might discover that they were compromised in the second quarter! To guide you, think:-

Status = Risk (something new or changed)
Importance = The impact of this new or changed 'thing' on clients, regulatory compliance or the organization's policies, objectives etc.
 
B

BLOGFROG

:thanks: Some useful info here guys. My approach will be to complete a full audit of the ISMS once a year, but have a security forum meeting on a regular basis which will be part of the Management Review.
 

AndyN

Moved On
:thanks: Some useful info here guys. My approach will be to complete a full audit of the ISMS once a year, but have a security forum meeting on a regular basis which will be part of the Management Review.

Sorry, but a full audit once a year doesn't meet the requirements of the standard. The internal audit section is virtually identical - it has to be based on status and importance! That has been discussed here in the auditing forum many times...
 
B

BLOGFROG

Hi Andy,

Thanks for the comments / guidance. Just to give you some background we are a small org (less than 5 people) going for an integrated 9001:2008 and 27001:2005 system.

We have specified in our procedures that both the QMS and ISMS will be fully audited once per year, we with have 2 management reviews per year and a monthly team/security forum meeting every month.

We have been audited by BSI for Stage 1 of 27001, and no issues were raised around this.

What would be your suggestions? Many thanks.


Sorry, but a full audit once a year doesn't meet the requirements of the standard. The internal audit section is virtually identical - it has to be based on status and importance! That has been discussed here in the auditing forum many times...
 
Top Bottom