Rhand Leal With business processes under constant pressure from management, customers, and other interested parties, to protect information exactly as requested, by means of technical specifications, legal requirements, or business objectives, and the greater complexity and sophistication of operations, the use of audit expertise in information security is becoming a critical point to add value to organizations, and that is a great opportunity for professional development.
In this article I will show you how ISO 27001 internal audit knowledge can help boost a professional’s career, as a tool to promote proper information security, and better control and continual improvement of business processes; I’ll also show you the means by which you can obtain this expertise.
What is the ISO 27001 internal audit?
An audit is a gathering process for obtaining and evaluating evidence (information that is relevant and verifiable) to determine the extent to which the audit criteria (e.g., a set of policies, procedures, or requirements) are fulfilled. The term “internal” means that the audit is performed within organizations’ own boundaries and rules, not involving external parties like customers, suppliers, or certification bodies.
Specifically, for an ISO 27001 internal audit, its results help top management answer three questions:
- Does the company comply with all the requirements considered to be relevant (e.g., business objectives, customers’ needs, and laws)?
- Are the defined information security safeguards being properly performed (e.g., at the right time, by the right people, and in the right manner)?
- Are the expected information security results being achieved (e.g., less system downtime, increased revenue, etc.)?
According to the ISO 27001 standard, the internal audit process must be systematic, i.e., planned, performed, verified, and improved in a well-known and defined manner, with properly trained personnel, performed internally, or by means of external hiring.
For more information about audit training, read this article: Qualifications for an ISO 27001 Internal Auditor.
Internal audit benefits
Even though the ISO 27001 internal audit process may be considered as only one more control, and in some cases even a waste of time (see this article for more information: Dilemmas with ISO 27001 & BS 25999-2 internal auditors), the benefits it can deliver when properly performed outweigh potential costs, for both the organization and the auditor.
During ISO 27001 implementation, the audit knowledge can help the organization to identify what needs to be done to be compliant with the standard, minimizing implementation costs by avoiding rework and the creation of unnecessary controls. In addition to standards requirements, it can help in the evaluation of customers’ and suppliers’ contracts, as well as applicable regulations and laws, ensuring that information security requirements established in these also be considered in the Information Security Management System (ISMS).
During internal audit activities, the audit knowledge can provide benefits like:
- Improvement in the risk treatment plan: with better understanding of potential non-conformities and opportunities for improvement, the people who perform the process can act more preventively, through the risk treatment plan, to prevent minor issues from becoming non-conformities.
- Decrease in the internal audit costs: one criterion to define the audit program is the result of previous audits. If a process has shown that it can properly identify and deal with non-conformities on its own (few or no non-conformities identified by the internal audit, besides those already made by the people running the audited process), the frequency by which the process must be audit can be decreased.
As for information security auditors, the audit knowledge can provide really good insights about how to elaborate and apply security checklists to evaluate processes’ compliance and performance. This will make their job easier and objective-driven, increasing the organization’s chance to identify problems and opportunities for improvement and treat them properly. For more information about security checklists, read this article: How to make an Internal Audit checklist for ISO 27001 / ISO 22301.
As for other information security practitioners (e.g., system administrators, incident managers, etc.), the audit knowledge can provide them a professional edge in terms of organizational recognition and business processes systemic knowledge.
Acquiring internal audit knowledge
Even though this knowledge can be obtained through self-learning (e.g., reading books and articles) and by observing an audit (when authorized by the organization), attending a course (provided by the organization or by a third party) is the most recommended way to learn about internal auditing. This is because the standard requires evidence of training, and unless you have a considerable number of registered audit hours, to attend a course is the most effective way to get the evidence (the certificate) on top of the knowledge.
For information about trainings and certified providers, read these articles: How to learn about ISO 27001 and BS 25999-2 and Accreditation vs. certification vs. registration in the ISO world.
Increase your available knowledge toolset
It is easier to do things right when you understand the rules of the game. By learning how to perform a proper ISO 27001 internal audit, you basically understand the process and criteria used to help the organization decide if the measures to protect information are well-planned, implemented, evaluated and improved to achieve the expected results. Additionally, this knowledge can have a great positive impact on your career, with new opportunities and challenges.
So, even if you are not considering becoming an internal auditor, think about learning how this process is performed. If properly applied, its methods and practices can bring you and your organization many benefits in the implementation and maintenance of the ISMS.
To learn about the internal audit process, please see this free online course: ISO 27001:2013 Internal Auditor Course.
