Internal audit is a mandatory procedure under ISO 2001:2013. Unlike ISO 27001:2005, the current version of ISO 27001:2013 does not specify any annual frequency. However still the requirement is to conduct internal audits at “defined intervals”. Section 9.2 (c) of the ISO 27001 standard states organization shall “plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; ”
The above requirement actually comprises of following requirements:
- Who will plan the audit program ?
- Evidences of planning and approval ?
- Evidence of audit program ?
- How the frequency of Internal audit has been defined?
- Evidence of Internal audit reports and evidence of sending of reports to stakeholders (auditees, management and interested parties)?
- Which processes are selected and why ?
Depending upon the organization, its maturity level and its requirements, answers to above questions will vary and may lead to more questions.
However it is best to carry out the internal audit for :
- all processes at least once in year
- carry out the internal audit to meet client or regulatory requirements as per defined need
- carry out the review audit for all critical processes after closure of NC’s in critical processes
- carry out the review audit for those processes where NC’s was against any legal/regulatory requirement.
- new processes at least twice in a year.
Please note that these are recommendations based on my own experience and not stated in the ISO standard.
Sample Audit Plan