How should I decide what to include in my Internal Audit Plan?
The standard tells you the requirement which gives you some clues. It says that the objective is to ”Assess the ISMS both a) conforms to the organization’s own requirements for its information security management system; and the requirements of this International Standard; and b) is effectively implemented and maintained.”
It also says that the “audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits”
I suggest looking at a programme over 3 years with the main internal audits taking place a month or so before the certification audits. Note that you can have multiple internal audits covering many different topics over a period.
This can be split into two – Clauses 4 to 10 and the controls.
Clauses 4 to 10
It is important that your audit programme looks at some if not all the clauses 4 to 10. Just lookingat controls is not really looking at your ISMS. What you might consider to be the main clauses is fairly obvious but I would expect most Internal audit programmes to be looking at the risk assessment and clause 8 as a minimum.
Controls
What controls you audit, when and where should be primarily based on risk. Look at certification audit reports, any supplier audits undertaken of your company, any internal audit reports, etc, etc. Other documents to look at include the risk assessment, incident and non conformity reports. Also, what has changed in the scope? Is there a new change control process? Are there some new staff? Is there a new IT system? Are there any controls listed in the SOA that are not implemented? Are there any new controls? What risk treatment actions are due to be completed and when? This controls testing needs to consider all the aspects of the scope – e.g. business functions, IT systems and locations. Some controls might only get audited once in a 3 year period at a very high level and some could be audited every N months in great detail. The key driver should be the risk assessment since that should give a good indication of the relative importance of the controls.
Usually people create a programme to audit all the clauses and controls over a 3 year period but then change it to reflect all the various factors involved.
My advice is to “go for it – make some decisions” and then modify over time based on what you learn.
If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.