Search in ISMS Guides


Sunday, October 7, 2007

ISO 27001 Internal Audit Case Study

This is a case study of Dionach carrying out an ISO 27001 internal audit for a public organisation based in the Republic of Ireland. Some of the information has been changed or omitted to maintain confidentiality.


The client is certified to the international standard ISO 27001. Part of the standard specifies that planned, objective and impartial internal ISMS audits should take place. The audits shall determine whether the ISMS:

  • Conforms to the standard
  • Conforms to the information security requirements specified
  • Is effective and well maintained
  • Performs as expected

The organisation felt that it could not resource the audit personnel from within the organisation, and so commissioned Dionach to carry out the internal audits.

Internal Audit

The organisation decided to split the auditing of the ISMS into several stages throughout the year. The scope of the initial audit was the following areas:

  • Risk Assessment
  • Information Handling
  • Physical Security and Incident Reporting

Prior to the audit, Dionach requested relevant copies of the ISMS and other related documentation from the organisation. Dionach consultants spent a significant amount of familiarising themselves with the organisation's documentation, and finding out more about the organisation in general. Dionach produced a detailed schedule of tasks and interviews over four days to spend with the organisation, providing two consultants to carry out the audit. The schedule was agreed with the organisation.

On site at the organisation, the consultants liaised with the organisation's ISMS Manager, starting with a tour of the site. The tour also gave a preview of the physical security of the site, and a chance to meet some of the staff.

The Dionach consultants followed guidelines for auditing as specified in ISO19011 during the course of the audit, using the following principles: ethical conduct, fair presentation, due professional care, independence, and an evidence-based approach.

After taking notes from documentation, observations and interviews, the consultants gave feedback at the end of every day to the organisation's ISMS Manager on any likely non-conformances or comments.

On the last day in the closing meeting, Dionach presented a draft report with non-conformances; each graded either as major, minor or just a comment. There were no major non-conformances within the scope of the audit, several minor non-conformances, and two comments. The minor non-conformances ranged from easily corrected ISMS documentation inconsistencies, to issues that would need to be discussed at length in the organisation's Information Security Forum.

In the closing meeting the organisation agreed to have a list of corrective actions for each of the non-conformances by a certain date.

Dionach provided the organisation with a final version of the audit report, and now looks forward to carrying out the next part of the internal audit process.

Source :


ISO 9000 said...

Hey, very nice site. I came across this on Google, and I am stoked that I did. I will definately be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just taking in as much info as I can at the moment.
iso 9000

ISO 27001 Certification said...

ISO 27001 is the standard generic in nature applicable to all business sectors which globally recognized standard for information security management systems. Information security management system certification may be combined with certification to other management system standards, e.g. ISO 9001, ISO 14001 and ISO 27001 Audit.

Quality Services said...

nice blog !! i was looking for iso consultants. then i found this blog, this is really nice and interested to read.