When all is said and done, it is important to ensure the systems and controls functions effectively and efficiently to meet the security objectives laid out by the program. An independent review removes personal biases and conflicting interests from the equation. Also note that an internal audit is one of the mandatory requirements of an ISMS according to ISO/IEC 27001 standards.
Audit Procedure is a template document, for organizations to populate their security controls requirements, primarily based on their own Statement of Applicability (SoA). No ISO/IEC 27001 Annex A controls are included in the template in order to protect ISO's intellectual rights.
It is important to measure the performance of an audit process. The important thing to remember while measuring audit is not the number of audit findings which may be small or large. Nevertheless, the critical factor in an audit report is the 'quality' of findings in it.
Key Performance Indicators
Every audit starts with a plan in mind, with specific scope and schedule, and all of the other program management elements. ISO/IEC 27001 standard requires the entire scope of the ISMS be audited by an internal audit team over a period of three years. These audits should not be limited to ISO/IEC 27001 ISMS standard and ISO/IEC 27001 control standards. Other security requirements identified in the organization's security context also should be included in scope for a comprehensive security audit.
An audit may find non-conformances to the requirements of ISO/IEC 27001 Information Security Management System (ISMS) or ISO/IEC 27002 control standards objectives, or based on other security requirements included within the scope of the audit. Regardless of the source of a finding, the audit should always provide 'objective evidences of non-conformities'. Such non-conformances shall be remediated through 'corrective action procedures'. A corrective action should focus on the specific finding as well as other occurrences of the same finding and remediate them as well.