Anda di halaman 1dari 1

How to audit at 3 pragmatic and simple levels

Level 1 – Review of policies in line with A.5.1.2 and A.8.1.2 for independent
This level is a simple review of how you ‘describe’ your policies and controls, and
ensure they remain relevant for the organisation given 4.1 – 3 and in line with the above
issues, parties, scope, information assets, risks etc.
In we’ve included the policy for A.5.1.2 and developed the platform with
that in mind so it’s easy for you to adopt our policy and really ‘live’ it in practice.
This is clearly not internal auditing for Sect. 9.2 in itself, but is an important part of your
ISMS management along with other aspects like management reviews, incident
tracking etc. and will help to ensure that when you come to conduct your formal internal
audit you are doing so against a solid set of policies and controls that are appropriate
for your organisation.

Level 2 – internal audit plan covering the requirements and controls

This is the required, more traditional approach and will need to be carried out over the
course of the certification cycle at a minimum and it may be worth considering covering
this annually.
Our audit project can be used to set the objectives and scope of each audit and record
your findings. Any non-conformances that are identified can then be addressed in
the Improvement Track.
For those organisations wishing to follow a three-year audit programme of all controls,
we’ve included a framework to follow in too.

Level 3 – a holistic approach to demonstrating the effectiveness

We also encourage a more holistic approach to internal audits and have built a
programme in the platform that focuses an audit around ‘demonstrating’ a specific part
of your ISMS scope is compliant, e.g. a department, a location, a product, system or a
This gives you the opportunity to look at how the business works in practice,
beyond InfoSec per se, and see opportunities for improvement or, indeed, uncover risks
that might not be easily seen from looking through a control lens.
This also enables an organisation to audit a larger number of controls in one go, in a
joined-up fashion.
In our ISO 27001 Virtual Coach, we include an example to give a flavour of what you
could be doing that would illustrate part of your ISMS scope is working well and meeting
its objectives, with the controls working (or not).