To uphold the gold standard in Information Security Management Systems (ISMS), namely ISO 27001, organizations must commit to yearly internal audits. This exercise, grounded in scrutiny and adherence to policies, assures ongoing compliance and underscores areas ripe for improvement.
What is an internal audit?
An internal audit is an objective examination of an organization's ISMS, in line with ISO 27001 standards. This structured process, which entails assessing the effectiveness of ISMS and identifying areas for enhancement, leverages a systematic and documented approach.
Who can conduct an internal audit?
Leveraging the expertise of our CISO, Branko, would be a strategic move, given his 12+ years in information security and proficiency with requisite platforms and tools. Organizations can also bring in external professionals to carry out the audit.
You can book an internal audit with our internal auditor by clicking here.
What is the best time to have an internal audit
There's a lot of flexibility for this particular point. We supported customers that went through internal audits months prior to the external audits as well as 1-2 weeks prior to it.
We advise you to schedule the internal audit at least weeks prior to the external audit. This will give you enough time to fix the non-conformities and findings from the internal audit.
How to prepare for an internal audit in Secfix
Choosing to move forward with the internal audit provided by our CISO Branko, you can expect the following steps:
Finish all pending tasks from the project status report. This is mandatory.
Gather all Manual Evidence, except for the ones you can only complete after the Internal Audit
Go through the "Clauses" tab within the Statement of Applicability (SOA).
Ask Branko to review your Statement of Applicability (+ "Clauses" tab) and manual evidence records added to Secfix.
Internal audit opening call (15 Min):
confirm the Scope of the audit and the ISMS by going over the following items:Changes in the scope since the last audit (if applicable)
SoA review for Non-applicable controls
Confirmation of number of people in scope
Confirmation of locations in scope
Verification of availability of evidence in Secfix platform (Manual evidence uploads, Automated evidence verification, Risks, Policies, Vendors, Assets, Access modules verification)
Internal audit closing call (45 Min) - approx. 5 days after the opening call:
Branko gives you feedback and you will go over preliminary findings from the audit, review any additional evidence, discuss remediation strategies for confirmed non-conformities and finalise the report.
βDon't forget to add it to your manual evidence later.
After these steps, you should have a clear idea about your audit readiness and feel confident to move forward with the external audit.