PQBD44 V 13 SF 11 P
PQBD44 V 13 SF 11 P
PQBD44 V 13 SF 11 P
D 44v13
ISO 27001 internal audit
Goal
1 Scope
2 Normative references
3 Definitions
4 Principles
4.1 Management principles
4.2 Audit principles
4.3 Performance of the ISMS
5 Audit program
5.1 General
5.2 Objectives
5.3 Risks
5.4 Establishing
5.5 Implementing
5.6 Monitoring
5.7 Reviewing and improving
6 Conducting an audit
6.1 General
6.2 Initiating
6.3 Preparing
6.4 Audit activities
6.5 Audit report
6.6 Completing the audit
6.7 Audit follow-up
Annexes
Goal of the module: To conduct an internal audit according to ISO 19011 in order to:
www.pqbweb.eu 1 / 11
ISO 27001 internal audit PQB D 44 S v 13
1 Scope
Audit: a systematic and independent survey to determine whether activities and results
comply with pre-established measures and are capable of achieving the objectives
Internal audits, also called first party audits, are a requirement of the ISO 27001 standard (cf.
sub-clause 9.2).
External, customer (or supplier) and certification audits, also called second and third party
audits, are not within the scope of this module.
Internal audits are the most widespread tool for checking and evaluating the effectiveness of
an information security management system (ISMS). It is never intended to find the weak
points in personnel. The internal audit has entered many company’s daily lives as it has
become inseparable from:
It's only through other people's eyes that one can really see one's weakness. Chinese
proverb
2 / 11 www.pqbweb.eu
PQB D 44 S v 13 ISO 27001 internal audit
The internal audit results are part of the inputs of the management review and allow the
identification of fields in which to improve the information security management system (ISMS)
as:
No system is perfect
As shown in figure 1-2, for the process “Perform an audit”, top management (via the
management review) is considered as an audit client with needs and expectations, which are
themselves related to processes and various requirements.
In the 1980s internal audits were mostly documentary - did you write down what you do?
Later, in the early 2000s, internal audits were more about conformity - does what you do meet
the requirements of the standard?
Now internal audits are essentially about effectiveness - how do you improve your
performance?
www.pqbweb.eu 3 / 11
ISO 27001 internal audit PQB D 44 S v 13
2 Normative references
The advice given by the ISO 19011 document can be summarized in the following fields:
A good knowledge of the ISO 27001 standard is required to understand and follow this module.
All these standards and many more can be ordered in electronic or paper format on the ISO
site.
More than 28,000 standards (in English and other languages) are available on the
Public.Resource.Org site.
4 / 11 www.pqbweb.eu
PQB D 44 S v 13 ISO 27001 internal audit
3 Definitions
Some terms and definitions currently used in management systems and audits:
Examples of interested parties: investors, customers, suppliers, employees and social, public
or political organizations
In the terminology of information security management systems, do not confuse the following:
www.pqbweb.eu 5 / 11
ISO 27001 internal audit PQB D 44 S v 13
6 / 11 www.pqbweb.eu
PQB D 44 S v 13 ISO 27001 internal audit
Remark 1: each time you use the term "improvement opportunity" instead of nonconformity,
malfunction or failure, the auditee will gain a little more confidence in you.
Remark 2: the use of ISO 19011 and ISO 27000 definitions is recommended. The most
important thing is to determine a common and unequivocal vocabulary for everyone in the
company.
Remark 3: the customer can also be the user, the beneficiary, the initiator, the client, the prime
contractor, the consumer.
Remark 4: ISO 19011 version 2018 uses the terms procedure ( ), record ( ) and
documented information together. We also use the terms procedure and record together with
the term documented information.
For other definitions, comments, explanations and interpretations that you won’t find in this
module and annex 06, you can consult:
When I think of all the books still left for me to read, I am certain of further
happiness. Jules Renard
J. P. Russel, The Internal Auditing Pocket Guide, ASQ Quality Press, 2002
Dennis Arter and al, How to Audit the Process Based QMS, Quality Press, 2003
Spencer Pickett, The Essential Handbook of Internal Auditing, John Wiley & Sons,
2005
Karen Welch, The Process Approach Audit Checklist for Manufacturing, ASQ
Quality Press, 2005
Paul Palmes, Process Driven Comprehensive Auditing, ASQ Quality Press, 2009
David Hoyle, John Thompson, ISO 9000 Auditor Questions, Transition Support,
2009
www.pqbweb.eu 7 / 11
ISO 27001 internal audit PQB D 44 S v 13
J. P. Russel, The Process Auditing and Techniques Guide, ASQ Quality Press,
2010
Raphaël Hertzog et al, Kali Linux Revealed: Mastering the Penetration Testing
Distribution, OFFSEC Press, 2017
Tamuka Maziriri, ISO/IEC 27001 Lead Auditor: Mastering ISMS Audit Techniques,
Independently Published, 2019
Cees van der Wens, ISO 27001 handbook: Implementing and auditing an
'Information Security Management System' in small and medium-sized businesses,
Brave New Books, 2020
8 / 11 www.pqbweb.eu
PQB D 44 S v 13 ISO 27001 internal audit
4 Principles
The seven quality management principles (cf. figure 4-1) will help us achieve sustained
success (ISO 9001, sub-clause 0.2).
www.pqbweb.eu 9 / 11
ISO 27001 internal audit PQB D 44 S v 13
independence, to:
o conduct an impartial audit
o write objective conclusions
the evidence-based approach, to reach conclusions that are:
o reliable, verifiable and
o reproducible
risk-based thinking, to achieve the objectives of the audit by:
o identifying and decreasing threats
o seizing opportunities
But also:
independence (the auditor and audited activity do not have conflicts of interest), to
guarantee:
o objective conclusions
o findings based on objective evidence
a factual approach, to ensure:
o the audit evidence is verifiable
o the audit conclusions are repeatable
remain available
do not try to hide the truth
do not be afraid of the answers
objectively accept the nonconformities found
be aware of participating in the improvement of the ISMS by being:
o benevolent and
o cooperative
10 / 11 www.pqbweb.eu
PQB D 44 S v 13 ISO 27001 internal audit
N.B. We can be effective because we achieved our objective, but are not efficient if
we used too many resources or tolerated and produced too much waste!
www.pqbweb.eu 11 / 11