Skip to Content

Building an effective ISMS - Part 6: Key Implementation Steps Before the Internal Audit

Introduction

Completing the Statement of Applicability (SOA) is a significant milestone in your journey toward ISO 27001 certification. The SOA defines which security controls are relevant to your organization and how they address the specific risks you've identified. However, once the SOA is finalized, the next crucial phase begins—implementing these controls effectively and ensuring your Information Security Management System (ISMS) is fully operational before the internal audit.

This article outlines the essential steps your organization should take after finalizing the SOA and before the internal audit. By following these steps, you can ensure that your ISMS is robust, compliant, and ready for evaluation.

1. Finalize and Validate Documentation

Once the SOA is complete, it's time to ensure that all necessary documentation is finalized and validated. This includes not only the SOA but also policies, procedures, and records that support the ISMS.

Key Documents to Finalize 

  • Information Security Policies: Ensure policies align with the controls specified in the SOA. For example, if A.7.2 Physical entry controls are implemented, your security policies should detail how physical access is controlled, monitored, and logged. 
  • Risk Assessment and Treatment Records: Validate that risk treatment plans are properly documented. For instance, if your risk assessment identified unauthorized access as a high-risk area, ensure that records detail the steps taken to mitigate this risk, such as implementing A.9.2 User access management
  • Business Impact Analysis (BIA): Conduct a BIA to identify critical business functions and assess the impact of potential disruptions. This analysis will inform the implementation of controls like A.5.29 Information security during disruption and ensure that your organization can maintain operations under adverse conditions. For example, if your BIA reveals that a data center outage could severely impact operations, you might implement a backup strategy as part of your ISMS. 
  • Operational Procedures: Ensure that procedures reflect the practical application of the security controls and are accessible to relevant personnel. For example, if A.5.21 Managing information security in the ICT supply chain is applicable, ensure procedures are in place to assess and monitor third-party vendors.

Why This Matters

Auditors will scrutinize your documentation to confirm that your ISMS is not only well-designed but also properly implemented. Clear, well-maintained documentation provides evidence of compliance and is crucial during the internal audit.

2. Implement Controls and Verify Effectiveness

With the SOA serving as your roadmap, it's time to implement the security controls identified as necessary. This step is about putting theory into practice—ensuring that the controls are not only deployed but also functioning effectively.

Steps to Take

  • Deploy Controls: Implement technical and procedural controls as specified in the SOA. For example, if A.7.2 Physical entry controls are marked as "Applicable and Implemented," verify that access controls, such as keycards or biometric systems, are in place and operational at all entry points. 
  • Test Controls: Conduct tests to verify that controls are working as intended. For example, test the effectiveness of A.5.24 Information security incident management planning and preparation by simulating a security incident, such as a ransomware attack, and observing how well the plan is executed and how quickly the incident is contained. 
  • Vendor Review and Exit Plans: Implement a thorough review of third-party vendors as part of A.5.21 Managing information security in the ICT supply chain. For instance, review the security practices of your cloud service provider and ensure that vendor contracts include clear security requirements. Additionally, develop an exit plan that outlines procedures for securely terminating vendor relationships, such as ensuring that all data is securely returned or destroyed at the end of the contract. 
  • Monitor Performance: Establish metrics to monitor control performance over time. For example, regularly review logs from A.12.4 Logging and monitoring to identify any suspicious activities and ensure that monitoring tools are functioning correctly.

Why This Matters

 The internal audit will assess the implementation and effectiveness of your controls. Ensuring that they are operational and performing as expected reduces the risk of non-conformities during the audit.

3. Train and Raise Awareness Among Staff

A critical aspect of ISMS success is ensuring that all personnel understand their roles and responsibilities in maintaining information security. This step involves training and raising awareness about the ISMS and the controls you've implemented.

Training Topics to Cover

  • Roles and Responsibilities: Ensure staff understand their specific roles related to the ISMS, such as incident reporting procedures under A.5.26 Response to information security incidents. For example, provide training on how to recognize and report phishing attempts to the IT department. 
  • Security Awareness: Educate staff on security threats and the importance of following established procedures, such as A.7.7 Clear desk and clear screen policies. For instance, conduct a security awareness session that emphasizes the importance of not leaving sensitive information visible on desks or computer screens. 
  • Practical Exercises: Use tabletop exercises to simulate incidents and reinforce the importance of security controls. For example, run a tabletop exercise where employees must respond to a simulated data breach, discussing the steps they would take and how they would communicate the incident.

Why This Matters

 An informed and engaged workforce is critical to the success of your ISMS. During the internal audit, auditors will assess whether staff are aware of and adhere to the ISMS policies and controls.

4. Conduct Internal Reviews and Management Reviews

Before the internal audit, it's essential to conduct internal reviews and management reviews to ensure the ISMS is functioning as intended and that senior management is fully engaged in the process.

Internal Reviews

  •  Perform Self-Assessments: Conduct internal reviews to assess the ISMS's performance and identify areas for improvement. This can include reviewing the effectiveness of controls like A.8.24 Use of cryptography. For example, evaluate whether encryption methods are up to date and whether data at rest and in transit are adequately protected. 
  • All Access Review: Ensure that access rights and permissions are reviewed regularly as part of A.9.2 User access management. Confirm that access controls are aligned with the principle of least privilege and that unnecessary access rights are revoked. For example, review user accounts to ensure that only authorized personnel have access to sensitive systems. 
  • Document Findings: Record the results of internal reviews, highlighting any corrective actions taken. For instance, if a review finds that certain encryption practices are outdated, document the steps taken to update the encryption protocols.

Management Reviews

  • Engage Senior Leadership: Ensure that management reviews cover key aspects such as resource allocation, security objectives, and the results of internal reviews. For example, present the findings of your internal reviews to senior leadership and discuss any necessary resource adjustments to address identified gaps. 
  • Align with Strategic Goals: Ensure that the ISMS aligns with the organization's broader strategic goals and objectives. For instance, if your organization is expanding into new markets, ensure that the ISMS is updated to address the security risks associated with new regulatory requirements or increased cyber threats.

Why This Matters

Internal and management reviews provide valuable insights and demonstrate that your ISMS is subject to continuous improvement. This is a critical component of ISO 27001 and will be evaluated during the internal audit.

5. Prepare for the Internal Audit

Finally, preparation for the internal audit itself is key. This involves planning the audit, selecting auditors, and ensuring that all stakeholders are ready for the process.

Steps to Take

  •  Audit Planning: Define the scope, objectives, and criteria for the internal audit. Ensure that auditors are impartial and have the necessary expertise. For example, if A.12.1 Operational procedures and responsibilities are part of the audit scope, ensure that auditors have a clear understanding of the operational procedures and the relevant controls in place. 
  • Audit Scheduling: Schedule the audit to minimize disruption and ensure that all relevant personnel are available. For instance, schedule the audit during a period of low business activity to avoid interrupting critical operations. 
  • Pre-Audit Checklists: Use checklists to ensure that all required documentation, evidence, and records are in place before the audit begins. For example, create a checklist that includes verifying the availability of risk assessments, treatment plans, and evidence of control implementation.

Why This Matters

 Thorough preparation ensures that the internal audit runs smoothly and that the ISMS is evaluated comprehensively. This step helps to identify any final gaps before the external audit.

Conclusion

Preparing for the internal audit is a crucial step in achieving ISO 27001 certification. By finalizing documentation, implementing and testing controls, training staff, conducting reviews (including BIA, Vendor Review, Exit Plans, and All Access Review), and planning the audit, your organization can ensure that its ISMS is robust, compliant, and ready for evaluation. Leveraging tools like Brainframe can further streamline the process, ensuring that your organization is well-prepared for the internal audit and on the path to successful certification.

Next Steps

Preparing for the Internal Audit with a robust Statement of Applicability established and managed efficiently through Brainframe, the next critical step is preparing for the internal audit. This phase is pivotal for evaluating the effectiveness of the ISMS and ensuring it aligns with both ISO 27001 standards and organizational security requirements. The internal audit acts as a comprehensive review, providing essential insights into the security management system’s performance, identifying areas for improvement, and confirming the effectiveness of currently implemented controls. This process will involve detailed assessments, regular updates, and ongoing engagement with stakeholders to ensure that the ISMS remains effective, dynamic, and responsive to the evolving landscape of information security threats.

Start for free now! 

Streamline your GRC work using our all-in-one management solution and get access to our network of local specialists

Start your free account

Building an effective ISMS - Part 5: Statement of Applicability (SoA)