Standards, including: ISO 27001, SOC, the PCI Data Security Standard, FedRAMP, the Australian Signals Directorate (ASD) Information Security. Concepts, and that cloud is included in the scope of the customer’s audit program. Governance Checklist Checklist Item.
One of the core functions of an information security management system (ISMS) is a periodic and independent internal audit of the ISMS against the requirements of the ISO IEC 27001:2013 (ISO 27001) standard. This function, as required by clause 9.2 of the ISO 27001 standard, is commonly the most challenging function to implement in a way that meets each of the requirements set forth in the standard, especially for smaller organizations. This is due to its prescriptive nature, and the need for resources that are both independent of the development and maintenance of the ISMS and possess the requisite competencies to perform the internal audit function. Below, we take a look at the clause and its individual requirements.
Clause 9.2 of the ISO 27001 standard requires that the organization shall conduct internal audits at planned intervals to provide information on whether the ISMS both conforms to organization’s own requirements for its ISMS (9.2a) as well as conforms to the requirements of the standard (9.2b). There are additional explicit requirements documented within this clause, detailed below.
Audit Program (9.2c)
The audit program should be documented to include the frequency and timing of internal audit functions, methods by which the internal audit will be conducted, and assignment of responsibilities for the planning, performance, and reporting of internal audit results.
Audit Criteria and Scope (9.2d)
While the audit program may take a higher level look at the internal audit function as a whole, it may be necessary to document the specifics of each audit that is planned. With respect to the internal audit of the controls within an organization’s statement of applicability, a risk based approach may be desired due to available resources, the need for more frequent review of controls mitigating higher risks, and directives by management or ISMS owners. Each periodic audit should be accompanied by the documentation of the criteria and scope of the audit to ensure objectives are met.
Auditor Selection and Independence (9.2e)
When selecting the audit team that will be responsible for conducting internal audit activities, it is paramount to consider the independence and impartiality of the members. Those responsible for conducting the audit should take care to ensure they are not auditing functions over which they have operational control or ownership. This is especially important when considering the auditors who will be reviewing the ISMS against the standard. One of the most common issues of nonconformity external auditors encounter is in the area of the internal audit of the ISMS against the standard, where the internal auditor selected had an integral role in developing the ISMS or continues to have a role in decision making for the maintenance and direction of the ISMS. If the internal auditor is auditing work that he/she created, or if the responsibility of initiating or implementing any corrective action falls back to that internal auditor, there may be an issue of independence.
Reporting on Audit Results (9.2f)
Once an internal audit has been conducted, the internal auditor has a responsibility to ensure the results are reported to appropriate management. Clause 9.3 includes a requirement that the periodic management review of the ISMS includes a review of, among other inputs, the results of the last internal audit. Identifying reporting and communication channels is the responsibility of the ISMS owners and is a requirement of the standard, specifically clause 7.4.
Audit Program and Record Retention (9.2g)
The planning documentation, as well as the records gathered during the internal audit activities, should be retained by the organization to ensure objectives are met. The results of the internal audit should also be maintained as a record of performance and support for the conclusions reached by the internal audit function. Documenting record retention policies is the responsibility of the ISMS owners and is a requirement of the standard, specifically clause 7.5.3.
The keys to an effective certification review, as well as the internal audit function, are a thorough understanding of the standard, effective planning, and clear and concise documentation. Also, a successful and well-operated ISMS, beyond the certification, requires acceptance and participation by all of those involved and under the direction of the system, form top management to staff level personnel.
It seems that many people look for an ISO 27001 PDF Download Checklist on the web.
We’ve created our own here, easily downloadable. However, it shows how wide the scope of ISO 27001 is.
We are not in favour of the approach behind an ISO 27001 PDF Download Checklist as we wrote here. Like most ISO standards, successful approval will involve the whole business. Not a checklist in the IT department. Or anywhere else.
We do, however, make our key ISO 27001 PDF download templates available for sale via our shop page. These are not checklists, but the solid foundations for system design. And they are fully remote-supported by our staff .
However, as an ISO Consultant, I’m frequently asked the same question about ISO 27001:-
“So ISO 27001 is all about IT Security isn’t it ?”
Well, “yes”. But mainly “no”.
What Is It About, Then?
The standard is about installing a quality management system. This manages the security of all information held by the organisation (IT security does, of course, play a part in this), As a result has a significantly wide wide reach across a business.
But just how wide?
Here’s a list of the documentation used by us for a recently approved company. Are you sitting comfortably? And this isn’t even the complete version.
Policy for all Staff
Information Security Policy Statement – Statement of system requirements
Information Security – Objectives Table – Progress in implementing the IS Policy Statement
Information Security Management System Manual – System explanation & responsibilities for all staff
Supporting Documentation
Company Organisation Chart
Management Responsibility Statements and Job Descriptions – Documented responsibility statements for those holding security responsibilities
Network and Server Architecture Diagram – Diagram of all the IT network and services covered by the Information Security Management System
Approved Software – Software which can be installed on PS’s as required
Network Capture/Analysis/Scanning Tools – List of network tools that can only be used by IT Support staff
Control of Non-Conformance and Corrective Action Procedure – What to do if you think there is a security breach,and what will be done subsequently..
Use of Email, Internet, and Social Media – Specifics on use of email, social media etc.
( Possible Addition to the Employee Handbook)
IT Support Procedure – How to log security breaches or any other IT issues you need help with.
Control of Documented Policy & Procedures, – How to update/get a policy or procedure updated
Data and Records
Human Resources Index – Staff Handbook and HR related procedures
Information Security Risk Assessment & Treatment Plan – What the risks are to our information
Statement of Applicability for ISO 27001 – Responses with evidence for the Appendix Compliance Questions
Register of Legislation and Handling – Register of applicable legislation
Business Continuity Plan – How to keep the business running if an emergency occurs.
Supplier and Sub-Contractor Management – How to select sub-contractors and suppliers and what security practices affecting them should be in place
Purchasing Procedure
Approved suppliers and sub-contractors list- List of those who have confirmed acceptance of your security practices.
Internal and External Audit Procedure – How to complete ISO audits
ISO 27001 Audit Plan – Schedule/Plan for audits
Audit Report Form Template – Template for audit results
Preventive Action and Management Review- Planning the development of the security system and implementing a full review of the system by management.
Management Procedure for Training and Competence –Description of how staff are trained and make themselves familiar with the management system and competent with security issues.
Information Systems Continuous Improvement plan
Data Protection Registration
Requirements for Specific Roles
IT Support
IT Network Managers Security Procedures – Security procedures specific to the Network Management Role
Backup Procedures – Procedures for backing up information and records
Assets and Services – List of all IT and Information Assets
New Joiners
Induction Checklist Evidence that new joiners are made aware of information security system practices and requirements.
Marketing
PR process – Process to ensure press releases etc. are suitable approved prior to release.
Phew! Yes, it really is that involved. I think that this is outside the scope of most ISO DIY-ers with their ISO 27001 PDF Download Checklist . We’ve even left some things out of this.
However, this is simply a “to-do list”. A “how to do” approach is what is really needed.
All ISO standards should be bespoke to the business. Otherwise, they don’t “fit” it’s aims, activities, and culture. And, if they don’t fit, they don’t work. Hence why you need an ISO consultant to help.
Successful approval to ISO 27001 and it’s is way more than what you’d find in an ISO 27001 PDF Download Checklist. If you think we could help, please drop us a line!.