Phase IV: ISO/IEC 27001 Internal Audit

After successfully completing all prior scoping, gap, and remediation phases, it is now time to perform an internal audit for ensuring your organization is ready to move forward with an actual ISO/IEC 27001 certification audit by an accredited certification body (CB). Simply stated, you need to perform an ISO/IEC 27001 “dry run’ prior to engaging and bringing on an actual CB for the ISO/IEC 27001 certification audit.

The internal audit gives you the chance to truly test your controls against all of the in-scope Annex A controls from ISO 27002:2022 that were documented in your Statement of Applicability (SoA). Therefore, if you have any nonconformities, now is the time to correct them before the auditors arrive!

Besides, an internal audit is a strict requirement, per the ISO/IEC 27001:2002 standard. Specifically, Per ISO/IEC 27001:2022 - Information security, cybersecurity, and privacy protection — Information security management systems — Requirements:

9.2 Internal audit

9.2.1 General
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: a) conforms to 1) the organization’s own requirements for its information security management system; 2) the requirements of this document; b) is effectively implemented and maintained.

9.2.2 Internal audit programme
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: a) define the audit criteria and scope for each audit; b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; c) ensure that the results of the audits are reported to relevant management; Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

We build Customized ISO/IEC 27001 Internal Audit Programs | Download Today

With MorganHill, we give you two (2) great options when it comes to ISO/IEC 27001 internal audits. You can download our ISMS Internal Audit Program template, or we can take our existing ISMS Internal Audit Program template and create a highly customized document for your organization’s exact needs.

We offer industry leading security documentation for helping organizations develop all required Information Security Management System (ISMS) policies, procedures, programs, and plans in accordance with ISO/IEC 27001 & 27002:2022.