Why ISO27001 Internal Audit Should Not Be CheckList Based?

All ISO27001 certified companies (not just compliant but certified) certainly have a stronger foot while competing for contracts and customers in the market. But being certified is not enough, they know this and hence they need to do Internal ISMS audits to ensure they are meeting the ISO27001 ISMS objectives of information security. Although, it’s not easy to stay focused on maintaining ISMS while you are growing business and expanding your fort.

Many companies tend to outsource their data security to some 3rd party vendor for consultancy, expecting they would do their job right. And if budget is an issue then these companies look for ready-made checklists on the internet to complete that task which is on their ToDo (i.e. of conducting internal ISMS audit)

But neither of the above approaches are worth going for, nor efficient, nor effective! It is indeed a flawed approach to audit your organization.

The real lacuna coming out of a ready-made checklist is, that it does not assess or map the risks in your organization. An ISMS audit must include the assessment of risks, and their treatments. With time, the business changes and risks change. Those need to be captured in the audit. Having the ready-made checklist defeats the whole purpose of systematic and accurate risk management. If risks are not managed properly, the entire ISMS gets broken, which can become another long task to rebuild it from scratch.

Having a ready-made checklist approach makes organization very vulnerable. Below are some examples :

– Readymade checklist are not apt, fit for YOUR own company/business. Ex: think of it as copying some birthday party list from internet. Where reality is list on internet was made keeping in mind birthday for senior elderly person whereas you are planning it for 6 year old. It does not match or it would have some commonalities but then your party would just become boring and a big flop.

– Readymade checklist makes you do too much work than it’s required for your scope of ISO27001 (for which you got certified) and too much for the nature of your company’s business. Ex: it would be like feeding an elephant with a spoon.

– Readymade checklist makes you do too less as compared to your scope of ISO27001 and business nature. That would fail your certification in your next yearly surveillance audit. Multiple things can be missing (evidences, logs, reports, documentations, etc.) which were supposed to be executed within that one year of certification.

– Readymade checklist do not know which firewall are you using and how is it configured and what risks are generated due to ongoing changes in the Rules.

– Readymade checklist would not consider your methodology of code deployment, and thus would not prepare you for the relevant evidences required during surveillance audit.

– Readymade checklist does not understand your cloud architecture and configuration’s.

Where can you find a readymade checklist to prepare for surveillance audit for the new work-from-home situation which aroused post pandemic while you got certified before pandemic when the whole modus operandi was different? What sort of evidences, documentations and policies are needed which would fit (again) your company’s culture won’t be available in that ready-made checklist

– Readymade checklist are outdated and the user who shares them (free or paid) on internet – what are the guarantees that they are updating it as per the ongoing changes in the ISO27001 standard and guidelines?

– Readymade checklist, last and most importantly, do not and would not take into consideration your local legislative regulation and government norms which should be considered by you based on your geo-location while preparing for the surveillance audit – because readymade checklist does not know where are you based out off.

Conclusion – Readymade checklists are not even a quick fix. Thus, for those going for checklist based audits, be on your guards and look-out for the ISMS threats those would impact your business most importantly and later leading to a failed ISO27001.