Skip to main content

In the event that you are planning your ISO 27001 internal audit for the first time, you are presumably confused by the complexity of the standard and what you should look at amid the audit. However, you’re presumably searching for some sort of a checklist to help you with this errand. Here’s the bad news: there is no universal checklist that could fit your organisation needs perfectly, on the grounds that each organisation is altogether different; yet the good news is: you can make such a customized ISO 27001 checklist very easily.

The Steps in the Internal Audit

How about we see which steps you have to take to make an ISO 27001 checklist and where they are utilized. Also, these steps are relevant for internal audit of any management standard, e.g. ISO 9001, ISO 14001, and etc.:

Document Review

In this step you need to go through all the documentation of your Information Security Management System (ISMS) or part of the ISMS you are going to audit, keeping in mind the end goal is to first get familiar with the procedures in the ISMS and second see whether there are nonconformities in the documentation concerning ISO 27001.

Making the ISO 27001 Checklist

Basically, you create a ISO 27001 checklist in parallel to Document review – you read about the particular prerequisites written in the documentation (strategies, policies, techniques and designs), and record them with the goal that you can check them during the primary audit. For example, if the backup arrangement requires the reinforcement to be made at regular intervals, at that point you need to take note of this in your checklist, to recollect later on to check if this was really done.

Planning the Main Audit

Since there will be numerous things you have to look at, you should arrange for which departments as well as areas to visit and when. Your checklist will give you a thought on where to focus the most.

Performing the Main Audit

The main audit, instead of document review, is exceptionally practical. You need to walk around the organisation and converse with representatives/employees, check the computers and other equipment, watch physical security and so forth. Your ISO 27001 checklist is vital in this procedure, in the event that you don’t have anything to depend on, you can be sure that you will neglect to check numerous essential things; additionally, you have to take detailed notes on what you find.

Reporting

Once you complete your primary audit, you need to summarize each and every one of the nonconformities you found and create an internal audit report. Obviously, without the checklist and the point by point notes you won’t have the capacity to write an exact report. In light of this report, you or another person should open corrective action on any findings.

Follow-up

Most of the time, the internal auditor will be the one to check whether the entire corrective raised amid the internal audit are closed. Once more, your checklist and notes can be exceptionally helpful here to help you to remember the reasons why you brought nonconformity up in any case. Simply after the nonconformities are closed the internal auditor’s activity is wrapped up.

Making the ISO 27001 Checklist Usable for Beginners

Creating your checklist will depend primarily on the particular prerequisites in your strategies and systems. Yet, in the event that you are new in this ISO world, you may likewise add to your checklist some fundamental prerequisites of ISO 27001 so you feel more comfortable when you begin with your first audit. Above all else, you need to get the standard itself; at that point, the procedure is fairly straightforward. You need to read the standard point by point and write the notes in your checklist on what to search for. By the way, the standards are somewhat hard to read, along these lines; it would be most useful on the off chance that you could go to some sort of webinar or an ISO awareness program that you will find out about the standard in the best manner.

What You Should Include in a Checklist

Reference: E.g. clause number of the standard, or section number of policy, and so on.

What to look for: This is the place you write what it is you would look for during the primary audit, whom to address, which things to ask, which records to look for, which offices to visit, which equipment to check, and the list goes on.

Compliance: This section you fill in during the primary audit and this is the place you close whether the organisation has conformed to the necessity. As a rule this will be “Yes or No”, however some of the time it may be not applicable.

Findings: This is where you record what you have found during the primary audit, names of people you addressed, statements of what they stated, ID’s and contents of records you inspected, description of offices you went by, perceptions about the equipment you checked, and so on.

If you are looking to outsource your internal audits or looking for ISO 27001 consultants to implement an ISO 27001 compliant ISMS we would be more than happy to help. Please feel free to contact us for a free consultation on how we can help you.