The following bullets are the TLDR version of this post on ISO 27001 internal audits with a focus on startups.
Internal Audit is required by ISO 27001 but not SOC 2. As such, many companies have Internal Audit as a gap when they try to expand from SOC 2 to ISO 27001.
In this guide, we will walk you through the process of conducting an internal audit for ISO 27001 compliance, discussing the requirements, the challenges faced by startups, and how to streamline the process using a platform like Vanta. By following these steps, you will be better prepared to evaluate your organization's information security management system and ensure its effectiveness in protecting sensitive data.
ISO 27001 requires companies to conduct internal audits at planned intervals to ensure that their information security management system (ISMS) is effectively implemented and maintained. The internal audit process should be systematic, independent, and documented, focusing on evaluating the conformity of the ISMS with the requirements of the standard. This includes assessing the risk management processes, evaluating the effectiveness of controls, and identifying areas for improvement.
Specifically, section 9.2 of ISO 27001 states:
For reference, Section 9.2.1 of ISO 27001 states:
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms to
1) the organization’s own requirements for its information security management system;
2) the requirements of this document;
b) is effectively implemented and maintained.
Section 9.2.2 of ISO 27001 states:
The organization shall plan, establish, implement and maintain an audit programme(s), including the
frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.
The organization shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management;
While SOC 2 is not an ISO standard. SOC 2 does require organizations to establish and maintain effective internal controls over their information systems but does not explicitly call out internal audit as a required control. To comply with SOC 2, companies should still do assessments of the design and operating effectiveness of security controls. In this way, SOC 2 is not as prescriptive about internal audit. Although the specific requirements for internal audits may vary between ISO 27001 and SOC 2, both standards emphasize the importance of a systematic and independent approach to evaluating the organization's information security management practices.
Startups often face challenges when conducting internal audits due to limited resources, lack of expertise, and competing priorities. As a growing company, allocating time and resources to establish a robust internal audit process can be difficult. Additionally, finding qualified and impartial auditors within the organization might be challenging, as employees may have multiple roles and responsibilities, leading to potential conflicts of interest.
As you can see below, doing an internal audit requires time and resources.
Begin by defining the scope of the audit, which includes identifying the areas, processes, or departments to be audited. Determine the objectives of the audit, such as assessing compliance with ISO 27001 requirements, evaluating control effectiveness, or identifying improvement opportunities. This often starts with drafting an internal audit policy and associated procedures.
Create a detailed audit plan that outlines the audit's timeline, resources required, and key milestones. The plan should also include information on risk assessments and methodologies to be used during the audit.
Choose auditors who have relevant experience in information security management systems and are independent from the area being audited. This ensures objectivity and impartiality during the process. See more below on this 👇.
Inform relevant stakeholders about the upcoming internal audit to ensure their cooperation and support. Provide them with necessary details such as audit scope, objectives, schedule, and expectations.
Prior to conducting the internal audit, review key documentation related to your organization's ISMS. This may include policies, procedures, risk assessments, previous audit reports, and other relevant records. Familiarize yourself with these documents to gain a deeper understanding of your organization's information security landscape.
Develop checklists based on ISO 27001 requirements that will help guide you through each phase of the internal audit process. These tools should cover all aspects of your organization's ISMS in accordance with its specific needs.
One requirement of ISO for Internal Audit is that the results of the internal audit be reported to management. Ideally, this is done with a combination as well as written report.
By following these steps for planning and preparing for an internal audit, you can better ensure a thorough evaluation of your organization's ISMS while maintaining compliance with ISO 27001 requirements.
Vanta can help with most of the above steps. Vanta is a platform that simplifies the internal audit process for startups by automating the collection and verification of evidence, streamlining communication between auditors and the organization, and providing a centralized dashboard for tracking progress. By leveraging Vanta's technology, startups can save time, reduce the risk of errors, and ensure a more efficient internal audit. If you're a Vanta customer looking for an internal audit, reach out and we'll tell you how easy we make it.
The cost of an internal audit can vary greatly depending on factors such as the size and complexity of your company, the scope of the audit, and the expertise of the auditors. One FTE for a small startup is often not feasible but, given the ISO internal audit requirements for autonomy, it is hard to do an internal audit with existing resources. However, this effort can be significantly higher for larger organizations or those with more complex information security management systems.
Many companies, especially startups, opt to hire a consultant or contractor to do their Internal Audit. This is a smart approach to address this requirement. If you're interested, we offer Internal Audit services at Workstreet.
By assembling a team with a broad range of expertise, organizations can better identify potential gaps, risks, and areas for improvement in their information security management system (ISMS).
One additional team requirement in ISO is that the internal audit team, or person, cannot be a team or person that setup or manages the ISMS. This usually means that companies need to hire a dedicated person or people to run their Internal Audit function.
You're a startup. You need to comply with ISO 27001. And you do not have the resources or time to hire a full time person responsible for Internal Audit.
If that 👆 is you, then Workstreet is a good fit to be your internal auditor. We have experience and are super efficient. We can manage your internal audit from start to finish and ensure you align with the controls in ISO 27001.
Better yet, if you're a startup that uses Vanta, Workstreet can get your internal audit done quickly and inexpensively - we have special pricing for Vanta customers! We also offer discounts based on multi-year pricing (an internal audit should be done annually). Reach out today to learn more.
