Instant 27001 demo environment

snippet.self check versus internal audit

Owned by Maurice Pasman
Last updated: Jan 31, 2019


(question) What is the difference between 9.1 Monitoring, measurement, analysis and evaluation and 9.2 Internal audit?

The Monitoring plan (9.1) defines a series of short cycle checks the organization needs to perform during the year to make sure the selected controls are functioning as intended. They can be performed by the control owner (hence the name, Monitoring plan). It focuses on control conformance.

The internal audit (9.2) is more infrequent (often once per year, and not all parts of the standard need to be audited each year). The goal of the internal audit is to provide assurance that the management system complies to ISO 27001. The Internal auditor needs to be qualified to do so (although the organization may refine the level of qualification). He or she must be impartial and objective, therefore, the internal audit cannot be performed by the control owner and/or the Security officer. It is however possible to conduct an internal audit with more then one control owner, each checking the work of the other. 

© Instant Management Systems | Terms and Conditions