Your ISO 27001 ISMS Internal Audit Sucks (Here’s How to Fix It)

Last Updated on January 19, 2024

No offense, but your ISMS Internal Audit approach/program probably sucks.
How would I know? Because Pivot Point Security performs 100+ ISO 27001 ISMS Internal Audits each year for companies across different verticals.
What makes them suck? Robert Fritz said it best: “You are like a river. You go through life taking the path of least resistance. We all do—all human beings and all of nature. It is important to know that.”
That holds true for ISMS Internal Audits as well.  We all intend to “… improve the ISMS Internal Audit program this year, perhaps perform quarterly audits, take a deeper dive into certain areas…,” etc.
Then life gets in the way and you end up on the phone with us, saying: “Hey Carla, sorry for getting back to you last-minute—hope you can still fit us in. We just want to do the same audit thing as last year.” For the record, at least 75% of the ISMS Internal Audits we do each year are “the same audit as last year.” Which sucks.
Yet there is a path of “almost the least resistance” that is sure to yield significantly better results and provide a much greater return on your time and financial investment. This approach actually improves your risk management capabilities, your security controls, and your business.

It’s simple.

Focus your Internal Audit on “What has changed in the last year?” For example:

• Are you offering new services (that process different forms of data)?
• Do you have new clients with new contractual obligations/expectations?
• Are there new laws/regulations that impact your organization?
• Have you opened up additional geographic locations? Gone more virtual?
• Have you migrated infrastructure to the cloud?
• Are you using new SaaS applications?
• Have you altered your technology stack?
• Have you implemented new security controls (CASB, ATP, DLP)?

Why is change so important to focus on? Because if you scoped your ISMS and assessed risk optimally, then the combination of controls you had in place prior to those changes was intended to minimize risk to an acceptable level. Any change may result in a change in risk, which may necessitate a change in the controls that were implemented. Further, it isn’t likely in times of change that new controls will be optimally designed and operationalized.
It’s therefore likely that one or more of last year’s changes put you at risk.
ISO 27001, perfectly leveraged, ensures that you will not be at risk. In a perfect world, every one of these changes was captured in your risk register; analyzed; and where necessary, controls were added, removed, improved or denigrated.
Some of these changes should be reflected in your ISMS Scope Statement. Some may require a change to your Statement of Applicability. Ideally, your ISMS objectives were updated to account for these changes (or to continue your continuous improvement efforts). Ideally, your security metrics were updated to reflect the changes to your ISMS objectives.
Ideally, your ISMS Internal Audit puts some additional focus on ensuring the ISMS has been fully updated to reflect the changes. Ideally, the key controls that are necessary to manage “new” risk are properly assessed during the ISMS Internal Audit.
Life often doesn’t follow the “ideal” path, so much of this may not have happened.

How can you make sure that it happens next year?

Make sure this year’s audit specifically looks at these issues so you end up with Nonconformities that will drive the changes necessary to improve.
As Winston Churchill once said, “Victory will never be found by taking the path of least resistance.” Be victorious this year—make sure your ISMS Internal Audit doesn’t suck.