ISMS - Internal Audits

#1
Hi
I am new to this forum and I am just learning about ISO 27001 - wish me luck.
I have looked a a number of Internal Audit Checklists which have all been very informative. What I am struggling with is the actual audits themselves, what documentation and questions should be used when completing the audits on the different aspects of ISO 27001? So for example is it enough for 6.2 to ask these or do I need to go into more depth?
I am also assuming that these questions would be a report where you would complete a audit but an overall findings table like the below would be held as a record for quick reference?

1613404787217.png

Any help would be greatly appreciated.

Thanks
1613404787217.png
 
Elsmar Forum Sponsor

John Broomfield

Staff member
Super Moderator
#2
Jules,

Welcome to the Cove.

These canned checklists may prompt questions asked and answered by the team responsible over the several months of developing the ISMS and keeping track of progress.

They are of limited use to internal auditors periodically sampling parts of the system and its processes to report on its effectiveness. Each internal audit has its own checklist driven by the audit’s objective.

Instead, train your internal auditors how to plan and prepare for their audit to fulfill each audit’s specific objective. The audit objective could be taken from the system itself, concerns of management or users or from the statement of applicability.

With this objective (from you for each audit) they should be able to:

1. Determine the scope of their audit (where to take their samples).
2. Who to talk to and what to ask (and why).
3. What to look for and why.
4. How to record evidence of effectiveness/conformity
5. How to determine and report nonconformity for correction/corrective action
6. How to prepare and present their report which includes their conclusion per the audit objective.

Items 1 thru 3 are in their checklist with space for supplementary questions. The checklist should also provide room for recording evidence against each line of inquiry per 4 and 5.

The facts from the audit (findings) should go into the report in support of its conclusion which answers the question posed by the audit objective.

From what you say it seems to me that you need auditor training and practice before you train your audit team to be competent internal auditors.

That canned checklist is not the answer.

Best wishes,

John
 
#3
Jules,

Welcome to the Cove.

These canned checklists may prompt questions asked and answered by the team responsible over the several months of developing the ISMS and keeping track of progress.

They are of limited use to internal auditors periodically sampling parts of the system and its processes to report on its effectiveness. Each internal audit has its own checklist driven by the audit’s objective.

Instead, train your internal auditors how to plan and prepare for their audit to fulfill each audit’s specific objective. The audit objective could be taken from the system itself, concerns of management or users or from the statement of applicability.

With this objective (from you for each audit) they should be able to:

1. Determine the scope of their audit (where to take their samples).
2. Who to talk to and what to ask (and why).
3. What to look for and why.
4. How to record evidence of effectiveness/conformity
5. How to determine and report nonconformity for correction/corrective action
6. How to prepare and present their report which includes their conclusion per the audit objective.

Items 1 thru 3 are in their checklist with space for supplementary questions. The checklist should also provide room for recording evidence against each line of inquiry per 4 and 5.

The facts from the audit (findings) should go into the report in support of its conclusion which answers the question posed by the audit objective.

From what you say it seems to me that you need auditor training and practice before you train your audit team to be competent internal auditors.

That canned checklist is not the answer.

Best wishes,

John
Thank you for your open and honest advice John, it is very much appreciated.
 
#5
Hi John, I am also new to this forum. Would anyone kind enough to share an example of what a full internal audit report look like. I work in a small company as well and we are trying to build this new department and have been looking everywhere for assistance in how to go about in this field....
 

John Broomfield

Staff member
Super Moderator
#6
Most internal audits are process audits combined with the occasional system audit.

Whatever the scope, the auditor reports:

A. The Audit Objective (from the person initiating the audit)
B. Findings (both positive and negative facts from the audit)
C. The Conclusion (which answers the question posed by the objective and is supported by the findings)

Include any corrective action requests and keep it simple.

Best not give any advice or opinions.
 
Thread starter Similar threads Forum Replies Date
C ISO 27001:2013 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 32
M The steps that my ISMS Internal Audit Report has to Contain IEC 27001 - Information Security Management Systems (ISMS) 3
S Checklist for ISO 27001 ISMS Internal Audit IEC 27001 - Information Security Management Systems (ISMS) 3
A ISO 27001:2005 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 14
DanBOS ISMS Auditors and Consultants IEC 27001 - Information Security Management Systems (ISMS) 2
A How to measure the performance of ISMS? IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS - Seeking VAPT Consultant Food Safety - ISO 22000, HACCP (21 CFR 120) 1
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
M How To Define ISMS (information Security Management System) Scope IEC 27001 - Information Security Management Systems (ISMS) 18
S GDPR (General Data Protection Regulation) - My company is ISMS certified IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
H ISMS (information security management system) Manual ISO27001:2013 Example wanted IEC 27001 - Information Security Management Systems (ISMS) 6
D Need to include Premise of Outsourced Call Center in ISMS Surveillance Audit? IEC 27001 - Information Security Management Systems (ISMS) 4
T A survey on problems during ISMS implementation - need help IEC 27001 - Information Security Management Systems (ISMS) 2
P What are the benefits of certified ISMS for ISO 27001 standard? IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
M Business Case for ISMS (Information Security Management System) IEC 27001 - Information Security Management Systems (ISMS) 1
R What Monitoring Software are you using for ISMS? IEC 27001 - Information Security Management Systems (ISMS) 2
M How is the Scope Determined in ISMS? IEC 27001 - Information Security Management Systems (ISMS) 3
B ISMS Certified - Any requirement for Insurance Coverage for Infrastructure Assets? IEC 27001 - Information Security Management Systems (ISMS) 4
B Is policy required for each procedure in ISMS ? IEC 27001 - Information Security Management Systems (ISMS) 3
S MBA ISMS Project help wanted IEC 27001 - Information Security Management Systems (ISMS) 3
K Effectiveness of ISMS (Information Security Management System) Controls Measurement IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS (Information Security Management System) Policy vs. Information Security Policy IEC 27001 - Information Security Management Systems (ISMS) 1
T ISMS (Information Security Management System) Task Flow Chart in 'Detail' IEC 27001 - Information Security Management Systems (ISMS) 7
T A little survey on ISMS Implementation - Need help IEC 27001 - Information Security Management Systems (ISMS) 12
T Person in charge's role or responsibility in ISMS? ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO/IEC 27007:2011 (ISMS) Information Security Management Systems Auditing IEC 27001 - Information Security Management Systems (ISMS) 6
N Defining Security Interfaces for Scope for ISMS - Need help IEC 27001 - Information Security Management Systems (ISMS) 10
A Examples of Special Contact Group for implementation of ISMS IEC 27001 - Information Security Management Systems (ISMS) 2
Richard Regalado ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001 IEC 27001 - Information Security Management Systems (ISMS) 5
A ISO 27000 (Information Security Management Systems {ISMS}) Basic Questions IEC 27001 - Information Security Management Systems (ISMS) 8
P List of Risks related to Purchase as per ISMS IEC 27001 - Information Security Management Systems (ISMS) 3
K ISMS (Information Security Management System) Implementation Guide IEC 27001 - Information Security Management Systems (ISMS) 12
P Does anyone know any organization with IMS (QMS+EMS+ISMS)? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
S Concept Paper Requirements from ISMS and Quality Perspective Misc. Quality Assurance and Business Systems Related Topics 3
G Appropriate Processes for Information Security Management System (ISMS) IEC 27001 - Information Security Management Systems (ISMS) 7
D ISMS Asset Register - How to rate whether the asset is critical? IEC 27001 - Information Security Management Systems (ISMS) 3
S ISMS Planning before Organization Establishment IEC 27001 - Information Security Management Systems (ISMS) 4
A ISMS Firewall security policy sample template needed. IEC 27001 - Information Security Management Systems (ISMS) 2
A ISMS (Information Security Management System) 27K Legal Acts Check List IEC 27001 - Information Security Management Systems (ISMS) 1
A ISO 27001:2005 ISMS implementation process & Procedure IEC 27001 - Information Security Management Systems (ISMS) 3
M Inputs & Guidance on Information Security Management Systems (ISMS-ISO27000) Quality Manager and Management Related Issues 2
A Process documentation in a ISO 27001:2005 ISMS implementation Document Control Systems, Procedures, Forms and Templates 10
V ISMS, ITIL, ISO and others - BS7799 is interpreted as a quality standard Various Other Specifications, Standards, and related Requirements 4
V BS7799-2:2002 - ISMS - Information Security Management Systems Other ISO and International Standards and European Regulations 5
V ISO 17799 and BS 7799 - Security Standards - ISMS is not a quality standard Other ISO and International Standards and European Regulations 19
D INTERNAL LABORATORY IATF 16949 - Automotive Quality Systems Standard 4
S Transition training for Internal Auditor from ISO 9001: 2008 to the ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2

Similar threads

Top Bottom