** FREE PREVIEW VERSION **

[organization logo] Commented [EUGDPR1]: All fields in this document marked

by square brackets [ ] must be filled in.
[organization name]

Commented [EUGDPR2]: To learn more about this topic, read

INTERNAL AUDIT PROCEDURE this article: How to prepare for an ISO 27001 internal audit
http://advisera.com/27001academy/blog/2016/07/11/how-to-
prepare-for-an-iso-27001-internal-audit/

Also attend this free online training ISO 27001 Internal Auditor
Code: Course http://training.advisera.com/course/iso-27001-internal-
auditor-course/

Version: Commented [EUGDPR3]: The document coding system should

be in line with the organization's existing system for document
coding; in case such a system is not in place, this line may be
Date of version: deleted.

Created by:

Approved by:

Confidentiality level:

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
[organization name] [confidentiality level]

Change history
Date Version Created by Description of change

dd.mm.yyyy 0.1 EUGDPRAcademy Basic document outline

Table of contents
1. PURPOSE, SCOPE AND USERS ..............................................................................................................3

2. REFERENCE DOCUMENTS ....................................................................................................................3

3. INTERNAL AUDIT ................................................................................................................................3

3.1. PURPOSE OF INTERNAL AUDIT ........................................................................................................................ 3

3.2. INTERNAL AUDIT PLANNING .......................................................................................................................... 3
3.3. APPOINTING INTERNAL AUDITORS ..................................................................... ERROR! BOOKMARK NOT DEFINED.
3.4. CONDUCTING INDIVIDUAL INTERNAL AUDITS........................................................ ERROR! BOOKMARK NOT DEFINED.

4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT .........ERROR! BOOKMARK NOT DEFINED.

5. VALIDITY AND DOCUMENT MANAGEMENT........................................ERROR! BOOKMARK NOT DEFINED.

6. APPENDICES .....................................................................................ERROR! BOOKMARK NOT DEFINED.

Internal Audit Procedure ver [version] from [date] Page 2 of 3

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
[organization name] [confidentiality level]

1. Purpose, scope and users

The purpose of this procedure is to define a process for regular testing, assessing and evaluating the
effectiveness of technical and organizational measures to ensure the security of data processing.

This procedure is applied to all personal data processing activities.

Users of this document are [members of top management] of [organization name], as well as internal Commented [EUGDPR4]: Top management body within the
company.
auditors.

2. Reference documents
 ISO/IEC 27001 standard, clause 9.2, Annex A
 EU GDPR article 32 (1) (d) Commented [EU GDPR5]: Click here to read the full text of
GDPR Article 32:
https://advisera.com/eugdpracademy/gdpr/security-of-processing/

3. Internal audit
3.1. Purpose of internal audit

The purpose of internal audit is to determine whether procedures, controls, processes, and
arrangements for personal data processing activities are compliant with applicable regulations, and
the organization's internal documentation, whether they are effectively implemented and
maintained and whether they meet policy requirements and set objectives.

3.2. Internal audit planning

One or more internal audits should be conducted in the course of one year, ensuring cumulative
coverage of all personal data processing activities. Internal audits are planned based on risk
assessment, as well as results of previous audits.

[Job title] defines the annual audit schedule (i.e. the dates when one or a series of audits will be Commented [GDPR6]: This could be the Data Protection
Officer, or the top management of the company – CEO, Managing
performed). director, or similar.

** END OF FREE PREVIEW **

To download full version of this document click here:

https://advisera.com/eugdpracademy/documentation/internal-audit-procedure/

Internal Audit Procedure ver [version] from [date] Page 3 of 3

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.