• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Minneapolis: +1 612-324-7410 
  • Bucharest: +40 316 301 707 

ISO 27001 Internal Audit Case Study

You are here

This is a case study of an ISO 27001 internal audit that Dionach performed for a public sector organisation based in the Republic of Ireland. Some of the information has been changed or omitted to maintain confidentiality.

Background

The client is certified to the international standard ISO 27001. Part of the standard specifies that planned, objective and impartial internal Information Security Management System (ISMS) audits should take place. The audits shall determine whether the ISMS:

  • Conforms to the standard
  • Conforms to the information security requirements specified
  • Is effective and well maintained
  • Performs as expected

The client felt that it could not resource the audit personnel from within the organisation, and so commissioned Dionach to carry out the internal audits.

Internal Audit

The organisation decided to split the auditing of the ISMS into several stages throughout the year. The scope of the initial audit was the following areas:

  • Risk Assessment
  • Information Handling
  • Physical Security and Incident Reporting

Prior to the audit, Dionach requested relevant copies of the ISMS and other related documentation from the organisation. Dionach consultants familiarised themselves with the client's documentation and the organisation in general. Dionach then produced a detailed schedule of audit tasks and interviews and agreed this with the client.

On site, the consultants liaised with the organisation's ISMS Manager, starting with a tour of the site to gain a preview of the physical security and a chance to meet some of the staff.

The Dionach consultants followed guidelines for auditing as specified in ISO19011 using the following principles; ethical conduct, fair presentation, due professional care, independence, and an evidence-based approach.

After taking notes from documentation, observations and interviews, the consultants gave feedback at the end of every day to the organisation's ISMS Manager on any likely non-conformances or comments.

On the final day, Dionach presented a draft report with non-conformances; each graded as either major, minor or just a comment. There were no major non-conformances within the scope of the audit, several minor non-conformances, and two comments. The minor non-conformances ranged from easily corrected ISMS documentation inconsistencies, to issues that would need to be discussed at length in the organisation's Information Security Forum.

In the closing meeting the client agreed to produce a list of corrective actions for each of the non-conformances by a specified date.

Dionach provided the client with a final version of the audit report, and now looks forward to carrying out the next part of the internal audit process.