Internal audits are essential for maintaining ISO 27001 compliance. The requirements for writing an internal audit report are outlined in Clause 9.2 of the Standard.
But how do ISO 27001 audits work, and why do you need to document the results? We explain everything you need to know in this blog, including our top tips for writing an ISO 27001 internal audit report.
What is an ISO 27001 internal audit?
An ISO 27001 internal audit is a thorough examination of an organisation’s ISMS (information security management system) to ensure that:
- It meets the requirements of ISO 27001;
- It meets the organisation’s aims and objectives; and
- The policies, processes and other controls work as intended.
An internal audit is one of two assessments that organisations must complete to achieve ISO 27001 compliance – the other being the certification audit.
Each type of audit is conducted in a different manner and for a different purpose. The certification audit is carried out by a third party, who assesses the ISMS to determine whether the organisation should be certified.
By contrast, the internal audit is conducted by an organisation’s staff, who use the results to inform future decisions regarding the ISMS.
The internal audit report is therefore a crucial part of the process. It helps the organisation identify weaknesses that could jeopardise the organisation’s compliance status and the security of its data.
The organisation should use the results of the audit to make improvements before the certification audit.
Internal audits should be repeated at regular intervals to ensure that the ISMS remains compliant and effective.
Why do I need to create a report for an internal audit?
Organisations are required to document their ISO 27001 internal audits so that they can:
- Uncover nonconformities before malicious actors discover them;
- Ensure a strong security stance by identifying areas that require attention before a security event;
- Demonstrate and inform management commitment;
- Assist staff understanding and awareness; and
- Inform continual improvement.
Preparing your ISO 27001 internal audit report
An ISO 27001 internal audit report is typically split into four sections.
1. Executive summary
The executive summary gives decision makers an overview of the organisation’s compliance status and any nonconformities that must be addressed. It might also contain:
- A summary of the findings;
- Critical issues; and
- Corrective actions and opportunities for improvement.
2. Describe the audit
The report audit should contain relevant information about how the audit was conducted. This should include the audit criteria, but might also specificy details of the audit’s scope, such as areas that were covered, locations and relevant staff, as well as the key findings of the assessment.
Findings shouldn’t be limited to areas of non-compliance; you should also describe areas of strength and other positive notes.
This can be listed either as its own section or as an addition to the executive summary.
3. Document nonconformities and opportunities for improvement
One of the main objectives of the internal audit is to identify areas where the organisation’s practices fail to meet the requirements of the Standard or the organisation’s needs.
These should be documented in the audit report so that corrective actions and improvements can be recorded and managed.
4. Define corrective actions
Because the internal audit is intended to bolster the organisation’s compliance posture, the internal auditor must conclude with a list of corrective actions.
These actions will follow on from the identified nonconformities, stating the steps that the organisation must take to close compliance gaps.
Simplify your internal audit reporting with IT Governance
With IT Governance’s ISO 27001 Toolkit, you’ll receive the support you need to complete an internal audit process quickly and efficiently.
Developed by the experts who led the world’s first ISO 27001 certification project, this toolkit contains customisable templates to complete the internal audit process, along with more than 140 documents to manage ISO 27001 compliance.
It’s directly aligned to the clauses and controls of ISO 27001, ensuring complete coverage of the Standard.