ISO 27001, ISO 27002 and ISO 9001 Implementations and Internal Audits

Introduction

Organisations are expected to demonstrate that they manage information security, quality, operational risk and internal controls in a structured and repeatable manner.

This is normally achieved through formal management systems, supported by policies, procedures, control activities, evidence, monitoring, internal audits and management review.

Futura International provides implementation and internal audit services for ISO/IEC 27001, ISO/IEC 27002 and ISO 9001.

The services apply to organisations that want to implement a new management system, improve an existing system, prepare for certification, or obtain an independent internal audit before a certification audit, surveillance audit, supplier review or client assurance process.

ISO/IEC 27001 and ISO/IEC 27002

ISO/IEC 27001 is the international standard for information security management systems, commonly referred to as an ISMS. The standard requires an organisation to establish, implement, maintain and continually improve a management system for information security.

The focus is not only on technical cybersecurity controls. It also includes governance, risk assessment, management responsibility, documented information, continual improvement, internal audit, management review, corrective action and the selection of appropriate information security controls.

ISO/IEC 27002 supports ISO/IEC 27001 by providing guidance on information security controls. These controls are normally considered during risk treatment and when compiling or maintaining the organisation’s Statement of Applicability.

In practical terms, ISO/IEC 27001 and ISO/IEC 27002 assist organisations to manage information security in a controlled manner, including confidentiality, integrity and availability of information, as well as the protection of systems, processes, people, suppliers and data.

ISO 9001

ISO 9001 is the international standard for quality management systems, commonly referred to as a QMS.

The purpose of a quality management system is to ensure that an organisation can consistently provide products or services that meet customer requirements and applicable statutory and regulatory requirements.

ISO 9001 is not limited to manufacturing environments. It can be applied to service organisations, professional firms, technology companies, public sector entities, outsourced service providers and operational business units.

The standard addresses matters such as organisational context, leadership, planning, process management, support activities, operational controls, performance evaluation, internal audit, management review and continual improvement.

The services provided

Futura International provides two main categories of services for ISO/IEC 27001, ISO/IEC 27002 and ISO 9001:

  • implementation services; and
  • internal audit services.

These services can be performed separately or as part of a broader readiness, improvement or assurance programme.

ISO implementation services

Implementation services are aimed at assisting the organisation to design, document and implement a management system that is suitable for its operating environment.

The implementation work normally starts with an understanding of the organisation, its business processes, information assets, products or services, customers, suppliers, regulatory obligations and existing control environment.

The objective is not to create unnecessary documentation. The objective is to establish a practical management system that can be operated, evidenced, reviewed and improved.

Depending on the scope of the engagement, implementation support may include the following:

  • defining the scope of the ISO management system;
  • conducting a gap assessment against the relevant ISO requirements;
  • identifying existing policies, procedures, controls and evidence;
  • assisting with the development or improvement of required documented information;
  • supporting risk assessment and risk treatment activities;
  • assisting with the ISO/IEC 27001 Statement of Applicability, where applicable;
  • aligning ISO/IEC 27002 controls to identified information security risks;
  • assisting with process descriptions, control responsibilities and evidence requirements;
  • developing or improving management system procedures;
  • preparing internal audit and management review arrangements;
  • assisting with corrective action processes;
  • supporting readiness for external certification audits.

The implementation approach depends on the maturity of the organisation. Some organisations already have many of the required controls and documents in place, but these are not formally aligned to the ISO standard. Other organisations require a more structured implementation from the beginning.

ISO internal audit services

Internal audits are a required part of ISO management systems. They are also useful when management wants an independent view of whether the management system has been designed adequately and whether it is operating as intended.

Futura International provides internal audit services for ISO/IEC 27001, ISO/IEC 27002 and ISO 9001.

The internal audit may be performed before certification, before a surveillance audit, as part of the annual internal audit programme, or as a focused review of selected clauses, controls, business units or processes.

The work normally includes the following:

  • confirming the audit scope and criteria;
  • reviewing the relevant ISO requirements;
  • reviewing policies, procedures, registers, records and other documented information;
  • interviewing responsible personnel;
  • testing selected controls and evidence;
  • assessing whether the management system conforms to the selected ISO requirements;
  • identifying nonconformities, control weaknesses and improvement opportunities;
  • reporting findings in a clear and practical manner;
  • discussing corrective action requirements with management.

An internal audit is not the same as implementation work. The purpose of an internal audit is to assess conformity and effectiveness. Where implementation assistance is also required, that work should be clearly separated from the audit activity to preserve independence and objectivity.

ISO/IEC 27001 implementation

For ISO/IEC 27001 implementation, the focus is on the establishment and operation of an information security management system.

Typical areas of work include information security governance, information security risk assessment, risk treatment, asset-related controls, access control, supplier security, incident management, business continuity considerations, documented information, monitoring, internal audit, management review and continual improvement.

Where appropriate, ISO/IEC 27002 is used as a control reference to assist with the selection, description and review of information security controls.

The expected outcome is an ISMS that can be explained, operated, evidenced and improved by the organisation.

ISO/IEC 27001 internal audits

An ISO/IEC 27001 internal audit assesses whether the ISMS conforms to the requirements of the standard and whether the relevant information security controls are appropriately implemented and maintained.

The audit may cover the full ISMS or selected areas, such as risk assessment, Statement of Applicability, access control, supplier management, incident management, documented information, management review or corrective action.

The audit output normally includes a report containing the scope, criteria, work performed, findings, nonconformities and practical recommendations.

ISO 9001 implementation

For ISO 9001 implementation, the focus is on the design and operation of a quality management system.

Typical areas of work include process definition, customer requirements, quality objectives, roles and responsibilities, operational controls, document control, performance monitoring, nonconformity management, corrective action, internal audit, management review and continual improvement.

The objective is to ensure that the quality management system is aligned with how the organisation actually operates.

A quality management system should not exist only as a set of documents for certification purposes. It should assist management to control work, identify problems, correct them and improve performance over time.

ISO 9001 internal audits

An ISO 9001 internal audit assesses whether the quality management system conforms to the requirements of ISO 9001 and whether the system is implemented effectively.

The audit may cover the full quality management system or selected processes, departments, sites or requirements.

The audit normally includes a review of documented information, process evidence, records, responsibilities, performance monitoring, nonconformities, corrective actions and management review outputs.

The purpose is to provide management with an independent view of the state of the quality management system before external certification audits, surveillance audits or other assurance reviews.

Implementation and internal audit readiness

Many organisations underestimate the importance of evidence.

Policies and procedures are necessary, but they are not sufficient on their own. The organisation must also be able to demonstrate that the management system is operating.

For this reason, implementation and internal audit work should consider both design and operation.

Design addresses whether the required process, policy, procedure or control exists and is suitable.

Operation addresses whether the process, policy, procedure or control is actually being applied, monitored and retained as evidence.

This distinction is important for both ISO/IEC 27001 and ISO 9001.

Practical outcomes

Depending on the engagement, the practical outcomes may include:

  • a gap assessment report;
  • an implementation plan;
  • management system scope statements;
  • policies and procedures;
  • risk and control documentation;
  • an ISO/IEC 27001 Statement of Applicability;
  • internal audit plans and working papers;
  • internal audit reports;
  • nonconformity and corrective action records;
  • management review inputs;
  • certification readiness support.

The deliverables are agreed based on the organisation’s requirements, maturity, certification objectives and available internal resources.

Independence and objectivity

Where Futura International performs an internal audit, independence and objectivity are important considerations.

If implementation support has also been provided, the internal audit scope and approach should be agreed carefully. The organisation should understand which work relates to implementation assistance and which work relates to independent internal audit activity.

This distinction helps avoid confusion between advisory work and audit work.

Who normally uses these services?

These services are relevant to organisations that:

  • are preparing for ISO/IEC 27001 certification;
  • are preparing for ISO 9001 certification;
  • already hold certification and require an internal audit;
  • need to improve an existing ISMS or QMS;
  • have client, supplier or regulatory pressure to demonstrate control maturity;
  • require a structured review before an external certification audit;
  • need practical assistance with ISO documentation, evidence and corrective action;
  • want an independent view of conformity before engaging a certification body.

Conclusion

ISO/IEC 27001, ISO/IEC 27002 and ISO 9001 provide recognised management system structures for information security and quality management.

Implementation work assists the organisation to establish or improve the relevant management system.

Internal audit work assists the organisation to assess conformity, identify weaknesses and prepare for certification, surveillance or continual improvement activities.

Futura International provides both implementation and internal audit services for ISO/IEC 27001, ISO/IEC 27002 and ISO 9001. The work is performed in a practical manner, with attention to governance, risk, controls, documented information, evidence and management accountability.