Scribd Logo
Upload

Welcome to Scribd!

  • ISO/IEC 27001:2013 Information Security Management Systems: - Internal Audit

    Uploaded by

    Israel Rogelio Gómez
    8 views3 pages
    The document discusses requirements for internal audits of an organization's information security management system according to ISO/IEC 27001:2013. It states that organizations must conduct internal audits at planned intervals and develop an internal audit program considering importance of activities, previous audit results, security incidents, and security performance. For each audit, the scope and criteria must be defined, and auditors must have knowledge of information security topics. Audit results are documented in a report communicated to top management, and any nonconformities require correction and corrective action. Evidence of performing internal audits must be retained.

    Original Description:

    Internal audito iso 27001

    Original Title

    17 Internal Audit

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses requirements for internal audits of an organization's information security management system according to ISO/IEC 27001:2013. It states that organizations must conduct internal audits at planned intervals and develop an internal audit program considering importance of activities, previous audit results, security incidents, and security performance. For each audit, the scope and criteria must be defined, and auditors must have knowledge of information security topics. Audit results are documented in a report communicated to top management, and any nonconformities require correction and corrective action. Evidence of performing internal audits must be retained.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views3 pages

    ISO/IEC 27001:2013 Information Security Management Systems: - Internal Audit

    Uploaded by

    Israel Rogelio Gómez
    The document discusses requirements for internal audits of an organization's information security management system according to ISO/IEC 27001:2013. It states that organizations must conduct internal audits at planned intervals and develop an internal audit program considering importance of activities, previous audit results, security incidents, and security performance. For each audit, the scope and criteria must be defined, and auditors must have knowledge of information security topics. Audit results are documented in a report communicated to top management, and any nonconformities require correction and corrective action. Evidence of performing internal audits must be retained.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    ISO/IEC 27001:2013 Information security management systems

    - Internal audit-

    Organizations shall perform internal audits of the ISMS at


    planned intervals.

    Internal audit programme – schedule of internal audits for a


    period of time.
    For the development of internal audit programme the
    organization should take into consideration:
    - importance of activities and processes;
    - results of previous audits;
    - security incidents;
    - security performance.
    ISO/IEC 27001:2013 Information security management systems
    - Internal audit-

    For each internal audit:


    - Scope - what activities and locations are to be audited
    - Criteria – ISO/IEC 27001, information security policies,
    internal regulations, legislation requirements, contract
    requirements, etc.
    Auditors have knowledge of:

    - information security terminology and principles,


    - risk management,
    - the security controls and techniques,
    - current security threats and vulnerabilities,
    - relevant legislation with regards to information security and of course
    - the requirements of ISO/IEC 27001 including the controls from Annex A

    Auditors should be independent from activities being audited


    ISO/IEC 27001:2013 Information security management systems
    - Internal audit-

    Results of the audit – Audit report – Communicated to top


    management

    Nonconformities should be managed – with corrections and


    corrective actions.

    The organization should retain documented information as


    evidence of performing internal audits.

    You might also like