Sample procedure needed for ISO/IEC 27001:2022

Hi,

Greetings to all...

We are planning to go for ISMS certification. As i am new to Information security management systems (ISMS), it would be helpful if anybody could help me by providing the sample procedure for the following clauses of ISO/IEC 27001:2022

1. Procedure for Internal audit (Clause 9.2)
2. Procedure for Management Review (Clause 9.3)
3. Procedure for Nonconformity and corrective action (Clause 10.2)

Thanks
Roots

There's a decent free "toolkit" reference for 27001 templates and procedure starting points here: Free ISO27k Toolkit

For those particular procedures you really only need to work backwards from the requirements, and add more depth related to what you already do. It's also worth noting that none of those would be any different for any other management system version, so if you Google search for 9001 content starting points it would apply just as directly. Keep in mind that unless one particular form in a template seems to be clearly required, eg. a RACI chart, you don't need to address that type of requirement range in that particular way. I hate RACI charts; who would ever read that, or make any change to what they actually do based on that content? But then process flow charts aren't so different; unless minor changes or adjustments to communication steps, or something like that, emerges from their use it's just something to have and show an auditor. At least they should represent a real thing; there's that.

Your internal audit checklist for 27001 wouldn't be identical, but you can audit directly from the requirements or directly from review of your designed system; it's up to you. If your system doesn't adequately cover the requirements auditing related to the designed system won't pick up gaps; that's a trade-off. It's not that hard to include some sort of mapping document that shows that main body requirements and appendix controls are covered. If you audit from requirements instead there's a good chance that you won't end up checking all the parts of the designed system as well, building in potential for gaps related to review of changes and such.

Earlier on in our ISO 9001 and 27001 experience we audited to the designed system, and shifted approach later on, and experienced issues with both, later on with a 20000 system instead after we switched over. In theory covering both in internal review should work, maybe even better, but the internal audit process can seem to naturally run long, and you'll want to focus on related record coverage review, since external auditors definitely do.

The main difficulty with management review is integrating that potentially formal--and not functional--review step with an actual need for reviewing related content. Instead of re-reviewing parts covered in other meetings or review forms you can just cross-reference to that there, in one or more designated review sessions.

If you end up in the somewhat unfortunate position of developing a 27001 system that's there for external assurance, but not related to internal demand for the function, if maturity in the system is absolutely not going to be a goal or accepted priority, then you can just cover the bare minimum that gets you through an external audit, the limited range of internal audit results, system performance, monitoring, risk assessment process output, etc. It's easier and better to work towards developing the overlap between functional performance and what the system requires, but the reality in any given company is what it is.

For the corrective action process and record it's easy to miss how much function, or at least formally attributed purpose, that process can cover. You'll need to use it to document internal audit identified non-conformances, for example, but you can also choose to use it for whatever else you want, eg. a customer complaint process, risk assessment treatment, service improvement documentation, and so on. Maybe only risk treatment is required in that list, for an ISMS, and blowing up process scope and function is probably a bad idea, but you might be able to absorb other low-function process or record use into one more developed version.

Dear Mr.john.b,
Thank you for your detailed and useful explanation.

Hi, the first thing I'd point out is that the standard does not require a procedure for internal audits, management review or non-conformity. ISO standards used to, but the requirement disappeared with the 2013 version. That said, if you want something simple then you can amend the following to fit your requirements

Internal Audit and Non-Conformity Procedure​

At planned intervals <Company> conducts internal audit meant to evaluate:

• ISMS compliance to both <Company>’s own requirements and to ISO 27001 requirements;
• The effectiveness of ISMS implementation and maintenance.

To achieve these goals, <Company>:

• Plans, establishes, implements, and maintains an audit program where audit frequency, method and responsibilities are described.
• Ensure that audits of the management system itself, and control objectives and controls will take place at least once annually.
• Defines related criteria and scope for each audit.
• Selects qualified auditors to ensure objectivity and impartiality of the audit process (the auditor may be an internal or external resource).
• Reports audit results to Management.
• Documents and retain audit results.

Audit Schedule​

An annual audit schedule is prepared by the <ISMS Lead>. When planning the schedule, the status and importance of the processes and areas to be audited should be taken into account i.e. higher risk processes may be audited more frequently than those presenting little or no risk.

The results of any previous audits will also be taken into consideration. If audit of any area results in actions being raised, then audit frequency should be higher than an area which has far fewer or no non conformances raised.

Auditor Allocation​

The <ISMS Lead> will allocate auditors to each audit but must ensure that the auditor selected is objective and impartial. Auditors must remain independent. Where independence between teams is not possible, auditors may carry out audits of their own department so long as they do not audit their own work. Alternatively, external bodies may be utilised to provide the internal audit function as appropriate. Auditors should be suitably trained in Internal Auditing.

Audit Preparation​

The auditor will be given time to prepare questions for the audit. The auditor will be made aware of the scope of the audit and the reporting requirements.

Performing and Recording the Audit​

For each audit carried out, a documented Audit Report will be completed and submitted to the <ISMS Lead>. This document provides a summary of the audit together with details of any actions raised and details of evidence. Additionally, an audit checklist may be completed where applicable, but is not a mandatory item.

Recording Audit Actions​

For each case where an area is found not to comply with either a clause or control of ISO27001 or with the organisation’s policies and procedures, an entry will be recorded in the <where you track NCs>.

The management responsible for the area being audited shall ensure that root-cause is assessed, and that actions are taken without undue delay to eliminate detected nonconformities and their causes. The auditor raising actions will review the evidence supplied in order to verify that the action taken addresses the non-conformities. Closure will be recorded in the <where you track NCs>.

Management Review Procedure​

<company> management are active in supporting and reviewing the Information Security Management System and will support the <ISMS Lead> in setting policy and objectives.

The performance of the ISMS will be reviewed <frequency> through the <name of reviewing group>, with the following inputs and outputs demonstrated.

• Status of actions from previous management reviews
• Changes in external and internal issues that are relevant to the information security management system. Any other feedback from interested parties?
  • Any changes in legislation
  • Any new customers who have required changes in policies, procedures or working practices
  • Any internal changes
  • Any client audits in the period
• Feedback on the information security performance, including trends in:
  • audit results, nonconformities and corrective actions;
  • monitoring and measurement results;
  • fulfilment of information security objectives
  • Results of risk assessment and status of risk treatment plan;
• Opportunities for continual improvement.

Presentation slides and minutes of the meeting will be retained, and actions arising will be tracked <where>.