So,the internal audit of ISO 27001, based on an ISO 27001 audit checklist, is not that difficult it is rather straightforward: you need to follow what is required in the standard and what is required in the documentation, finding out whether staff are complying with the procedures.Although they are helpful to an extent, there is no tick-box universal checklist that can simply be ticked through for ISO 27001 or any other standard.And if an ISO management system for that company has been specifically written around its needs (which it should be), each ISO system will be different.You could always call us, too However, you can create your own basic ISO 27001 audit checklist, customised to your organisation, without too much trouble.
Basics By the way, Were taking a broad, simple approach in this blog. But for the best results, wed recommend some training to make the whole process much easier. However, sharing some basics will, at least, demystify the process and provide a basic framework. And these broad principles are applicable for internal audit of other standards, such as ISO 9001, ISO 14001, etc.: So, some basic steps in the process:- Document review. Quite simple Read your Information Security Management System (or part of the ISMS you are about to audit). You will need to understand processes in the ISMS, and find out if there are non-conformities in the documentation with regard to ISO 27001. A call to your friendly ISO Consultant might help here if you get stuck() Creating the checklist. Also quite simple make a checklist based on the document review, i.e., read about the specific requirements of the policies, procedures and plans written in the documentation and write them down so that you can check them during the main audit. For example, if the data backup policy requires the backup to be made every 6 hours, then you have to note this in your checklist in order to check if it really does happen. Take time and care over this it is foundational to the success and level of difficulty of the rest of the internal audit, as will be seen later. Plan which departments andor locations to visit and when your checklist will give you an idea on the main focus required. It is astonishingly practical Walk around the company talk to staff, check computers and other equipment, observe physical security, etc. Your previously-prepared ISO 27001 audit checklist now proves its worth if this is vague, shallow, and incomplete, it is probable that you will forget to check many key things. And you will need to take detailed notes. Reporting. Summarize all the non-conformities and write the Internal audit report. ![]() From this, corrective actions should be easy to record according to the documented corrective action procedure. Follow-up. Its the internal auditors job to check whether all the corrective actions identified during the internal audit are addressed. ![]() The internal auditors job is only finished when these are rectified and closed, and the ISO 27001 audit checklist is simply a tool to serve this end, not an end in itself Checklist Format Some Basic Guidelines A suggestion to aid simplicity Wed recommend 4 columns as follows:- Reference e.g. What to look for what to examine, monitor, etc., during the main audit whom to speak to, which questions to ask, records to look for, facilities to visit, equipment to check, etc. Compliance Simply, has the company has complied with the requirement Yes or No, or occasionally not applicable. Findings Details of the more-specific findings of the main audit I.e. IDs and content of records examined, description of facilities visited, observations about the equipment checked, etc.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |