“An active and informed audit committee provides the ultimate independent and objective oversight of the corporate control environment, including a focus on emerging trends and risks. Internal auditing is the primary agent of the audit committee within the company.”
—Ford Motor Company
The previous chapter discussed implementing security controls as per the ISO 27001 standard guide. You also learned about the need for policies and procedures required during the implementation process.
Preparing an internal audit team
Conducting audits
Closing findings/gaps
Planning improvement
Communicating
Preparing an Internal Audit Team
Once all the security control implementation is done, it’s time to perform an internal audit to verify the accuracy of the implementation and to ensure that no more gaps exist.
The information security team may form an audit team by selecting experienced members or subject matter experts from relevant departments who will be responsible for identifying and closing gaps. Choosing an internal auditor can be a strategic decision for the organization.
The audit team should include people from different departments, such as the IT department, software development, human resources, and the finance department. To make them part of the ISO 27001 audit team, they need to take an internal auditor or ISO lead implementer training course, which will teach them how to plan, execute, and report on an ISMS audit.
Once the audit team is prepared, they undergo training, which helps them understand the current standards knowledge, which in turns expands their existing knowledge and skills and makes them qualified to conduct an internal audit. The core focus of training the audit team is to make them prepared for the audit.
Some companies identify an experienced person within the organization to perform the internal audit, while other companies use an external auditor.
Full-time internal auditor: Organization whose scope of work is very large and that have more audit work prefer a full-time resource. For example, banks need to obey the law and have such roles.
Part-time internal auditor: This is the most common case in small or mid-sized organizations. These types of organizations prefer someone who will perform his regular job throughout the year and conduct an internal audit several times as per the requirements.
Internal auditor from outside the organization: Some companies prefer a person from outside the organization to conduct the internal audit. This may be due to lack of skill within the organization or due to limited resources. It is important to note that the consultant or expert will be allowed to do the audit as per the organization policy only.
Note It is best to have at least two auditors so that they can audit each other’s work to avoid any conflict of interest.
What are the characteristics you should look before hiring an outside consultant?
The answer is very simple—hire a consultant who can add value to the organization, who matches your requirements, and who can reduce your implementation time by providing solutions or alternative ways.
- Experience of auditor: It should be obvious that when you’re hiring a consultant for your ISO 27001 internal audit, you should look at the experience level and expertise of the consultant. Consider asking a few questions:
How many years of experience do you have with ISO 27001 implementation/auditing?
Are you a certified ISO 27001 lead implementer or ISO 27001 lead auditor (or have any other certificate that indicates you are trained for this job)?
In which industry do you have the most experience? For example, an auditor must have domain understanding. If an auditor is from an IT background and has no experience with the banking domain, he’s not a good choice for a banking audit.
Regional auditor: When you are hiring an auditor, it is very important that she knows your language in order to communicate effectively. Also, when the auditor is from the same region, traveling is not a challenge.
Reputation: It is very important to take services from well-recognized vendors or consultants. If this subject matter expert has published articles or books, for example, chances are you are hiring the correct person.
Tip Watch out for consultants who focus more on selling their tools and materials rather than understanding your business requirements.
Conducting Audits
When you choose to implement ISO 27001 ISMS, you are required to conduct an internal audit.
The ISO 27001 internal audit helps you examine whether your organization-defined ISMS is compliant with the standard requirements. It also helps the organization achieve its set business objectives and ensures that the organizational policy and procedures you’ve implemented are being followed.
Auditing is time consuming and requires the organization to work on the process improvement part continuously. The frequency of the internal audit varies depending on the organization’s need and the complexity of the system or process they are following. Generally, organizations plan for semiannual internal audits.
If an organization recognizes multiple risks, they could perform internal audit more frequently. The banking system, for example, requires a regular internal auditor. Most organizations are free to choose the frequency of their internal audits—monthly, quarterly, semiannually, or yearly.
Note
All ISO management system standards (such as ISO 9001, ISO 14001, and ISO 27001) require the organization to conduct a regular internal audit as part of its performance evaluation.
Audit Plan
Whenever you do some important activity in your life, it’s a good idea to plan for it first. For example, when you go on vacation, you plan the travel, and then plan for the stay. Why do we plan in this manner? The answer is to avoid any risk during your vacation or trip.
- 1.Objective and scope of audit plan: The client should define the objectives and scope of the audit. Here are some examples of good objectives:
To assess the implementation and effectiveness of the ISO 27001 controls.
To assess compliance with the applicable laws and regulations.
To assess compliance with internal policies and procedures.
Similarly, the scope should also be covered in the audit plan. For example; the scope of work for internal audit can be:
To review the policies and procedures of the organization.
To review the means of safeguarding assets of the organization.
To review the laws and regulations that impact the business.
The scope of the audit should include a description of the physical location of the organization, units, support functions, and any exclusions.
- 2.
Audit schedule: Once the scope of the audit is clear, the next thing to do is to prepare the audit schedule. The audit schedule will cover all the projects/departments that will be audited as part of the new audit cycle. It is also important to share the audit schedule with the auditor/auditees and the management team, as full commitment is needed from every stakeholder during this exercise. Even with an external audit, the lead auditor will verify the audit schedule as evidence of an organization’s commitment to the internal audit exercise. This schedule usually includes the location of the audit, the start date, the end date, and the name of the auditor/auditees.
Note Recently closed projects are not typically included but can be included to check the whole process and to learn how security controls are planned and implemented during this project’s lifecycle. If specific feedback needs to be shared with the team members, it will be helpful for the future projects.
An internal audit sample plan
- 3.
Audit teams: The audit team consists of the auditor (the one who audits the organization to achieve the business objective) and the auditees (ones being audited). For example, the departments such as HR, IT, finance, and other support functions who take part in the audit could be the auditees.
Pre-Audit Meeting/Briefing
Ensure the availability of all the resources needed and other logistics that may be required by the auditor.
Verify the scope of the audit from the audit plan.
Opening Meeting
Describe the purpose and scope of the audit to the team.
Present the confirmation of the audit plan.
Discuss the general guidelines/rules to be followed by the audit team during the audit.
It’s now time to discuss how to conduct the audit. Audits are generally conducted using an audit checklist. A checklist is a suitable means of performing an internal audit, as checking each control one by one will ensure that you have not missed any controls and you can meet the audit requirements.
A sample audit checklist for the HR department
Scope of the ISMS—This is as per Clause 4.3.
Information security policy and objectives—As per Clauses 5.2 and 6.2.
Risk assessment and risk treatment methodology—Per Clause 6.1.2.
Statement of Applicability—Per Clause 6.1.3d
Risk treatment plan—This is mandatory per Clauses 6.1.3e and 6.2.
Risk assessment report—Per Clause 8.2.
Definition of security roles and responsibilities—The roles and responsibilities should be clearly defined for the ISMS audit. This gives everyone a clear understanding of the expectations from the different teams and is mandatory as per Clauses A.7.1.2 and A.13.2.4.
Inventory of assets—Mandatory as per Clause A.8.1.1.
Acceptable use of assets—As per Clause A.8.1.3.
Access control policy—As per Clause A.9.1.1.
Operating procedures for IT management - This is again one of the important clauses A.12.1.1.
Secure system engineering principles—As per Clause A.14.2.5.
Supplier security policy—Clause A.15.1.1.
Incident management procedure—This is again very important if you are doing ISMS to reduce your incidents and is mandatory per Clause A.16.1.5.
Business continuity procedures—Business continuity is crucial and it is recommended to read ISO 22301 (the business continuity management system). BCP is mandatory as per Clause A.17.1.2.
Statutory, regulatory, and contractual requirements—As per Clause A.18.1.1.
Training records, skills, experience, and qualifications—As per Clause 7.2.
Regular monitoring and measurement results—As per Clause 9.1.
Internal audit program—As per Clause 9.2.
Recording results of internal audits—As per Clause 9.2.
Results of the management review—As per Clause 9.3.
Record the result of corrective actions—As per Clause 10.1.
Logs of all user activities, exceptions, and security events—As per Clauses A.12.4.1 and A.12.4.3.
Note To perform the audit, you need to meet relevant departments, review their processes and procedures, and sometimes physically verify the controls.
Audit’s Finding Report
Introduction to the audit scope, objectives, and methodology used for conducting an audit.
Summary of key findings of the weaknesses or non-compliance areas.
Recommendations and suggestion on any given control. It is purely the auditees’ choice whether to accept or reject the suggestions shared by the auditor.
The sample report contains any non-conformities observed during the auditor’s interaction with the auditees or during the document review.
The root cause is where the auditor indicates why the issue or non-conformity occurs.
The report also contains corrective or the preventive actions that need to be taken by the auditees during the closure of the gaps/findings.
The sample audit report
Closing the Findings and Gaps
After conducting the audit and sharing the report with the auditees, it is important to close the findings. Auditees must reply to the findings reported in their areas by filling out the corrective and preventive action summary shown in Figure 7-2. Corrective actions refer to immediate actions that the team will take to close the information security gaps. Preventive actions refer to the steps or processes the team needs to address so that these security gaps do not occur again.
To close the finding, you need to revisit your finding report and understand the weakness or non-compliance. By reading the recommended strategy mentioned by the auditor, you can easily close them.
For example, say the auditor gave you non-compliance (NC) in Control A.11.3.3, which says you must have a clear desk and screen policy. First look at the description of this finding. In this example shown in Figure 7-2, the finding says that “Although the clear desk and clear screen policy is documented, a few desks were found to be cluttered with loose papers, files, and folders on the desktop screen.”
This is clearly a non-compliance case. The team responsible for this compliance needs to know the root cause of this NC. The example says that it was due to lack of awareness. So, in order to resolve this non-compliance, you need to make the team aware of the rule and take actions to resolve it. The department head can be directed to remove the papers from the desk and instructed to store them in a safe place. The team can also be advised to read the policy document again and follow it.
By following these generic steps for all the non-compliances or weaknesses, you can close the gaps. The auditor can then review the changes to ensure that the list of weakness or gaps no longer exists.
Planning Improvement
Once you complete the audit findings, it becomes important to assess where your information security implementation is weak. For some organizations, this can be their first implementation exercise or their first internal audit exercise. In general, it is assumed and expected that in the first implementation, all the improvement areas cannot be implemented. You know there could be constraints and challenges at various levels in your organization or office site, etc.
Also, once you look closely at findings that were observed during the internal audit, you might see the various reasons that they impacted the implementation.
- 1.
Lack of awareness.
- 2.Half implementation only.
Policy doesn’t cover all scope areas.
All the controls in policy were not fully implemented.
- 3.
The wrong implementation.
- 4.
Practice not followed consistently. For example, access rights reviews are not performed periodically.
- 5.
New areas not discovered during the planning stage may remain uncovered.
When you look at these points, it will give you an overall picture that you might have to improve. If you don’t want to improve them, what can happen? If you allow the gaps to remain in the system, they will grow further and create new problems. You cannot predict the impact of the new problems unless and until you are aware of the actual root causes. Hence, it is important to eliminate these gaps from the system as early as possible.
Eliminating Gaps
Now it’s time to prepare an action plan for the identified improvements and gaps. You need to list all the identified areas for improvement, in the order of largest impact to least impact. The goal is to eliminate big problems first. Okay, so it may not be possible to execute all large impact improvements first. At the same time, it is important to update management, so that they are aware and informed about such improvements/decisions.
Once the improvement list is set, assign the owner and the timeline for each improvements. It is important to give them enough time (realistically) for each improvement. The improvements must be planned effectively and, once implemented, they must give the desired result. Hence, it is important to track the progress of the implemented improvements. This is the responsibility of the information security team, as the improvement tracker is their job. Any deviation and progress must be tracked so that planned improvements are completed with less deviation in the schedule. If you read all these points, you’ll see that they follow the PDCA (Plan, Do, Check, and Act) cycle. PDCA is the essence of all ISO standards.
Can You Eliminate All Gaps?
With the limited resources/facilities that most people work under these days, it might not be feasible to eliminate all the gaps. In such scenarios, you usually can’t work on the gaps together or in parallel.
Trying to eliminate all the gaps might not be as effective, as the desired result may lack quality. Most improvements need to be incorporated by teams/employees. If you try to implement an improvement without team buy-in, it won’t be accepted by the team, which would defeat the purpose.
Communicating
During the ISO 27001 implementation, it is very important to communicate at every stage. During the internal audit process, it becomes important to communicate with everyone as well.
So, why is it so important to communicate?
One thing that most organizations lack is good communication within the organization and with the employees. During the audit process, not every employee gets audited. A few representatives from the team will face the audit team’s questions. It is not feasible to audit each employee, as auditing is a sampling exercise.
When many members are not involved, it becomes important to communicate the status and findings noted during the audit to all the employees in the organization. People are the most important factor in information security breaches. Hence, it is important to keep the people in the organization updated about the security findings and their associated impacts. This will help reduce security incidents in the organization.
Note
The audit team can create a communication plan along with the audit plan. This will not only boost the team’s communication but will also ensure that nothing is missed because of poor coordination or different communication styles.
Summary
In this chapter, you learned about the importance of the internal audit. It must be performed as part of the implementation exercise and is a mandatory part of the ISO 27001 standard. You also learned what’s covered as part of the audit process. For example, you must form audit teams, perform audit training, set up an audit schedule, create the audit report, and close any gaps. The chapter also explained the importance of preparing and executing the improvement plan to further strengthen your organization’s ISMS.