ISO Internal Audit Guide

ISO 27001
Internal Audit Guide

About

At Secure Cloud Innovations we specialize in designing and implementing cutting-edge cybersecurity solutions for our clients. By leveraging our deep understanding of compliance models and security standards, we provide our clients with everything they need to meet regulatory requirements and protect their sensitive data across industries.

Our Services

  • ISO Internal Audits
  • vCISO
  • Compliance Certification Prep
  • Secure Architecture Design
  • Information System Hardening
  • DevSecOps
  • Risk Assessments
  • Security Training
  • Audit Readiness Consultations
  • Tabletop Exercises

Our price starts at $3000 and the typical turn-around is one week from the start of the engagement.

Compliance Frameworks

Testimonials

What Client’s Say About Us

"Secure Cloud Innovations has been fantastic in helping us set up a complex cloud data warehouse in a highly regulated industry. They brought a deep understanding of security best practices and automation together with a thoughtful approach to our existing infrastructure. I would strongly recommend SCI for anyone looking for work on cloud infrastructure, devops automation, or information security. They’ve been awesome!"
Oren Goldschmidt
Oren Goldschmidt (Flow Software)
"SCI was instrumental in providing the expertise that Bluecard needed to achieve our SOC2 certification on a tight timeline. Caleb was incredibly professional and more than delivered! Great guy to work with. Highly recommend."
Alfredo Carrillo
Alfredo Carrillo(BlueCard)
“I hired SCI to help with CMMC/NIST consulting. I found Caleb knowledgeable about security. He has an excellent customer-facing personality, is very responsive, and has good hands-on support experience. Due to these additional skills, we found Caleb was able to do more for us than just security consulting. I’d highly recommend SCI.”
Ian M.
Ian M.(EN-Compuers)

What is the ISO/IEC 27000 family of standards?

The ISO/IEC 27000 standards are designed to allow a broad range of organizations to develop an effective and comprehensive information security management system (ISMS) capable of protecting the confidentiality, integrity, and availability of information. Each standard offers either guidance or requirements for the design and implementation of different areas of an organization’s ISMS. The series is developed, maintained, and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The primary standards for the ISO Internal Audit are as follows:

ISO/IEC 27000: Describes the overview of ISMS as well as terms and definitions used throughout the 27000 family of standards. It is a foundational document and as such, not only serves as a good starting point for readers, but also is referenced by all other ISO/IEC 27000 standards.

ISO/IEC 27001: Provides a high-level description of the ISO/IEC standards’ requirements for an organization’s ISMS. It is the central standard in the ISO/IEC 27000 series and is the standard against which an organization is audited.

ISE/IEC 27009: Provides sector-specific requirements for the controls specified in ISO 27001.
After ISO/IEC 27001, the standards offer general guidelines, 27002 – 27008, as well as sector specific guidelines, 27010 – 27019. There are a few notable exceptions, namely 27006 which specifies requirements for auditors.

Relationship Between ISO/IEC 27000 Family of Standards

Definitions Standards

ISO/IEC 27000

Information Security
Management
systems – Overview
and vocabulary

Requirements Standards

ISO/IEC 27001

Information security
management
systems —
Requirements

ISO/IEC 27006

Requirements for
bodies providing
audit and
certification of ISMS

ISO/IEC 27009

Sector-specific
application of
ISO/IEC 27001 –
Requirements

ISO/IEC 27021

Competence
requirements for
information security
management
system
professionals

Guideline Standards

ISO/IEC 27002

Code of practice for
InfoSec controls

ISO/IEC 27003

InfoSec management
systems — Guidance

ISO/IEC 27004

InfoSec management
– Monitoring,
measurement,
analysis, and
evaluation

ISO/IEC 27005

InfoSec risk
management

ISO/IEC 27007

Guidelines for ISMS
auditing

ISO/IEC 27008

Guidelines for the
assessment of InfoSec
controls

ISO/IEC 27013

Guidance on the
integrated
implementation of
ISO/IEC 27001 and
ISO/IEC 20000-1

ISO/IEC 27014

Governance of
information security

ISO/IEC 27016

InfoSec management
– Organizational
economics

Sector Specific Guideline Standards

ISO/IEC 27010

Information security
management for intersector
and interorganizational
communications

ISO/IEC 27011

Code of practice for
InfoSec controls based
on ISO/IEC 27002 for
telecommunications
organizations

ISO/IEC 27017

Code of practice for
InfoSec controls based
on ISO/IEC 27002 for
cloud services

ISO/IEC 27018

Code of practice for
protection of
personally identifiable
information (PII) in
public clouds acting as
PII processors

ISO/IEC 27019

InfoSec controls for
the energy utility
industry

ISO/IEC 27799

Health informatics –
InfoSec management
in health using ISO/IEC
27002

Control Specific Guideline Standards

ISO/IEC 2703x

vISO/IEC 2704x

ISO/IEC 2705x

Information taken from ogcio.gov.hk

What is the ISO/IEC 27001 Internal Audit?

Organizations are required to perform internal audits as part of their ISO certification process. The internal audits must meet certain requirements laid out in ISO/IEC 27001 clause 9.2. The purpose of the internal audit is twofold:
  • Verify the organization’s ISMS is meeting the requirements laid out in their own ISMS documentation as well as the requirements of ISO 27001.
  • Verify the organization’s ISMS is being properly implemented and maintained.
(ISO/IEC 27001 -2013 Section 9.2a & 9.2b)

The primary standards for the ISO Internal Audit are as follows:

  • Plan, establish, and maintain an audit program. This should include written documentation regarding the frequency of audits, auditing methods, responsible parties, planning requirements, and reporting. The audit program should consider previous audit results and well as the importance of the processes being audited to the organization.
  • Clearly define the scope of the audit.
  • Clearly define the audit criteria.
  • Ensure the audit is performed in an impartial and objective manner.
  • Report all results and findings to the proper parties.
  • Have procedures for the retention of audit results as well as any documented information.
    (ISO/IEC 27001 -2013 Section 9.2c – 9.2g)