ISO 27001 Clause 9.2.2 General Internal audit programme

by Maya G

In ISO 27001, there is indeed a Clause 9.2.2 titled "Internal audit program." This clause provides requirements and guidance on establishing an internal audit program within an organization's Information Security Management System (ISMS).

ISO 27001 Documentation toolkit, ISO 27001 Implementation toolkit

Here are the key aspects of Clause 9.2.2:

  • Establish the internal audit program: The organization must establish an internal audit program as part of its overall ISMS. This program outlines the objectives, scope, frequency, and methods for conducting internal audits. It should be designed to ensure the effectiveness and conformance of the ISMS with ISO 27001 requirements and the organization's information security objectives.
  • Independence and competence: The internal audit program should ensure the independence and objectivity of the internal auditors. Auditors should be competent and possess the necessary knowledge, skills, and experience to conduct audits effectively. This can be achieved through appropriate training, qualifications, or certifications.
  • Audit criteria and scope: The internal audit program should define the criteria and scope for conducting audits. Audit criteria include ISO 27001 requirements, legal and regulatory obligations, organizational policies and procedures, and any other relevant standards or guidelines. The scope of the audits determines the areas or processes within the organization that will be audited.
  • Audit frequency and planning: The internal audit program should establish the frequency of audits based on the criticality of the processes, the level of risk, and the results of previous audits. Audits should be planned and scheduled in advance to ensure proper allocation of resources and timely execution.
  • Audit objectives and criteria: Each internal audit should have clear objectives and criteria for evaluation. The objectives define the purpose and scope of the audit, while the criteria establish the benchmarks against which the auditors will assess the ISMS's conformance and effectiveness.
  • Reporting and follow-up: After conducting an internal audit, the auditors should prepare audit reports that document the findings, observations, and recommendations for corrective actions. The organization should establish a process for management review and decision-making based on the audit reports. It should also track and follow up on the implementation of corrective actions to address identified non-conformities.
  • Audit records and retention: The organization should maintain records of the internal audit program, including audit plans, reports, and follow-up actions. These records serve as evidence of the audit activities, findings, and improvements made over time. The organization should establish appropriate retention periods for these records.

By following the requirements of Clause 9.2.2, organizations can establish a robust internal audit program that helps assess the effectiveness of their ISMS, identify areas for improvement, and ensure compliance with ISO 27001 requirements. The internal audit program contributes to the continual improvement of the organization's information security management efforts.

ISO 27001, ISO 27001 Documentation toolkit, ISO 27001 Implementation toolkit