Internal Audit ISO 27001

The objective of this audit is to comply with requirement 9.2 of the ISO/IEC 27001:2022 standard by performing a review of the implementation status of the ISMS through an independent first-party audit across all areas of the organization.

The objective of conducting an internal audit under the ISO/IEC 27001:2022 standard is to independently and systematically evaluate the organization’s Information Security Management System (ISMS) to:

  1. Verify the degree of conformity with the requirements of the ISO/IEC 27001 standard and the internal policies, procedures, and controls established by the organization.
  2. Identify gaps, nonconformities, and opportunities for improvement in the implementation and operation of the ISMS.
  3. Evaluate the effectiveness of security controls, including those established in Annex A of the standard.
  4. Provide objective information and documented evidence to support top management’s decision-making.
  5. Support preparation for certification or surveillance audits, ensuring that the ISMS remains adequate, effective, and aligned with business risks.

The methodology followed by Internet Security Auditors aims to ensure a complete and accurate evaluation of the Information Security Management System and its security controls. The methodology covers the following aspects:

Scope of the tests

Phase I: Planning, Document Review and Audit Plan

  • A basic familiarization process with the ISMS and its responsible person will be conducted
  • Review of the documentation that supports the ISMS
  • Preparation of the Audit Plan

Phase II: Audit Execution

During this phase, the meetings defined in the Audit Plan will take place, beginning with the opening meeting where the audit objective and scope will be presented. A conformity review will be carried out regarding the clauses of the ISO/IEC 27001:2022 standard and the security controls listed in the annex, to the extent that they apply according to the organization's Statement of Applicability.

The evaluation includes interviews, process observation, document review, physical inspections, and system review to determine compliance with the standard and with the organization’s defined controls.

Phase III: Audit Report

The audit report will present the process details and results obtained, including the list of evaluated controls, detailed findings, and improvement opportunities.

Nonconformity categorization will follow the methodology and formats defined in the information security management system and the internal audit manual used by Internet Security Auditors to demonstrate adherence to industry best practices.

A closing meeting will be held to present the main strengths and weaknesses identified during the process.

Deliverables

  • Audit Plan
  • Executive Summary
  • Internal Audit Report
Missing view, block "gavias_elix_views_block__assessment_block_1"

Do not hesitate to contact us if you need more information

Send us your questions and we will contact you as soon as possible.

Por favor, introduzca un número de teléfono válido.
CAPTCHA
Esta pregunta es para comprobar si usted es un visitante humano y prevenir envíos de spam automatizado.