Antonio Jose Segovia One of the requirements of ISO 27001 is the realization of an internal audit, as set out in Section 9.2 of the standard. But, the question is: Who can perform this internal audit? We will find out in the following points.
The ISO 27001:2013 standard does not set requirements that an internal auditor must meet to carry out an audit, but the standard clearly requires that the organization shall select auditors.
How can an organization select an auditor? By establishing requirements. If these requirements are not established, any person could audit an ISMS. What would happen if a person without experience or training related to information security audits an ISMS? The simple and emphatic response is: The auditor would not contribute value.
Foundations to be a productive auditor
Therefore, if an auditor is going to add value to an organization by performing an internal audit, it is very important and highly recommended that he or she has adequate experience and demonstrable knowledge in information security.
- What experience? You must be aware that ISO 27001 is relatively young, so it is difficult to find internal auditors who have more than five years of demonstrable experience. Therefore, in this case, requirements could be set based on the number of days spent performing internal audits of ISO 27001: for example, a minimum of 5-10 days to be a lead auditor. It is also recommended that an internal auditor have experience as a consultant implementing the ISO 27001 standard. In the latter case, a requirement could be established that they have participated in a minimum of 2-3 implementation projects.
- What knowledge? Obviously, knowledge about ISO 27001 and information security is necessary. This knowledge can be obtained through training and courses. So, in this case, it is highly recommended that the auditor complete an ISMS lead auditor course, although it would also be desirable that they complete an ISMS implementer training course.
If you want to know what options you have to learn more about ISO 27001, you can read this article: How to learn about ISO 27001 and BS 25999-2.
Selecting an auditor
In short, we need to establish requirements that allow us to check that the internal auditor has demonstrable experience in ISO 27001, which is basically composed of the PDCA cycle (the Deming Cycle: Plan, Do, Check, Act), risk management, and a series of information security controls. There are some organizations that establish a selection process for internal auditors, and in this case the organization asks the potential auditor to carry out a small test consisting of a series of questions. In addition to this test, the organization also conducts an interview with the candidate to verify the veracity of his professional background (experience and training), and only if the candidate meets all the requirements and completes all the steps will he be eligible to conduct the internal audit.
And … in the real world?
In addition to the training and experience, it is usually a plus for an internal auditor to hold a certification (e.g., IRCA, CISA, etc.) or be qualified by any Certification Body (e.g., BSI, AENOR, Applus, SGS, Bureau Veritas, etc.). But, personally, I don’t worry so much about these certifications because there are professionals who are certified and qualified, but only audit once a month, and there are professionals who are not certified or qualified who have more experience because they perform audits every day. Therefore, the important thing to me would be to define the experience, the training, and the demonstrable knowledge that the internal auditor has.
Therefore, in accordance with ISO 27001 you need an internal auditor, and you need to establish requirements to select one. A less experienced auditor can do the job, but if you want to add value through an internal audit, an experienced internal auditor is crucial.
Learn how to perform an internal audit in this free ISO 27001 Internal Auditor Online Course.
