Blog Post

Selecting an internal auditor, but who?

A customer called me and asked me about doing their own ISO27001 internal audits, after all they are “internal audits” but what are the pitfalls?

Looking at clause 9.2 of the standard it says:

The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system ...

Ok, that’s fine. So I need to plan them and so on and so forth but then it says:

The organization shall ...

e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

Ok, that’s fine, so you essentially cannot audit a process that you are involved in (as you cannot ensure impartiality). So if you auditor works full-time in the business they cannot audit their own processes/controls etc. For example if you have selected an internal HR person to do your audits they could not audit “Controls A7 Human resource security”

But that is not the end of that ... if you look at the standard as “a whole” have a read of Clause 7.2. This says:

7.2 Competence. The organization shall ..

  1. a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;b) ensure that these persons are competent on the basis of appropriate education, training, or experience;. etc

So in internal audits the person doing the audit should be competent, if they have never been educated, trained or expereinced carrying out audits before can be deemed competent to carry out an audit?  No, in short. At an external audit recently for another customer I was asked for proof of my competence to do internal audits (of course, I had this to hand and my customer passed their audit - no problem). So if you are selecting an internal auditor that works full time in your organisation do so with caution, or just give me a call for advice.

More Blog Posts