** FREE PREVIEW VERSION ** Commented [EU GDPR1]: To learn how to fill out this

document, and to see real-life examples of what you need to write,

watch this video tutorial: “How to Write ISO 27001/ISO 22301
Internal Audit Procedure and Audit Program”.

To access the tutorial, choose one of the following options

(depending on how you received the document):

a) For document(s) delivered via Conformio: log into

Conformio, click "Helpful materials" in the top menu, choose
your language, and open the folder "Video tutorials".

b) For document(s) delivered via email: in your Inbox, find the

email that you received at the moment of purchase - there, you
will see a link that will enable you to access the video tutorial.

[Organization logo] Commented [EU GDPR2]: All fields in this document marked
by square brackets [ ] must be filled in.
[Organization name]

Commented [EU GDPR3]: To learn more about this topic:

INTERNAL AUDIT PROCEDURE
 read this article: Dilemmas with ISO 27001 internal auditors
https://advisera.com/27001academy/blog/2010/03/22/dilemma
s-with-iso-27001-bs-25999-2-internal-auditors/

Code:  consider taking this free online training: ISO 27001:2013

Internal Auditor Course
https://training.advisera.com/course/iso-27001-internal-auditor-
Version: course/

Date of version:  take a look at this book: ISO Internal Audit: A Plain English
Guide
https://advisera.com/books/iso-internal-audit-plain-english-
Created by: guide/
Commented [EU GDPR4]: The document coding system
Approved by: should be in line with the organization's existing system for
document coding; in case such a system is not in place, this line
may be deleted.
Confidentiality level:

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. www.advisera.com in accordance with the License
Agreement.
[organization name] [confidentiality level]

Change history
Date Version Created by Description of change

dd.mm.yyyy 0.1 EUGDPRAcademy Basic document outline

Table of contents
1. PURPOSE, SCOPE AND USERS ..............................................................................................................3

2. REFERENCE DOCUMENTS ....................................................................................................................3

3. INTERNAL AUDIT ................................................................................................................................3

3.1. PURPOSE OF INTERNAL AUDIT ........................................................................................................................ 3

3.2. INTERNAL AUDIT PLANNING .......................................................................................................................... 3
3.3. APPOINTING INTERNAL AUDITORS ..................................................................... ERROR! BOOKMARK NOT DEFINED.
3.4. CONDUCTING INDIVIDUAL INTERNAL AUDITS........................................................ ERROR! BOOKMARK NOT DEFINED.

4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT .........ERROR! BOOKMARK NOT DEFINED.

5. VALIDITY AND DOCUMENT MANAGEMENT........................................ERROR! BOOKMARK NOT DEFINED.

6. APPENDICES .....................................................................................ERROR! BOOKMARK NOT DEFINED.

Internal Audit Procedure ver [version] from [date] Page 2 of 3

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. www.advisera.com in accordance with the License
Agreement.
[organization name] [confidentiality level]

1. Purpose, scope and users

The purpose of this procedure is to describe all audit-related activities – writing the audit program,
selecting an auditor, conducting individual audits and reporting, as well as to define a process for
regular testing, assessing and evaluating the effectiveness of technical and organizational measures
to ensure the security of data processing.

This procedure is applied to all activities performed within the Information Security Management
System (ISMS) and all personal data processing activities in the company.

Users of this document are [members of top management] of [organization name], as well as internal Commented [EU GDPR5]: Top management body within the
scope of the company.
auditors.

2. Reference documents
 ISO/IEC 27001 standard, clause 9.2
 EU GDPR article 32 (1) (d) Commented [EU GDPR6]: Click here to read the full text of
GDPR Article 32:
 Information Security Policy https://advisera.com/eugdpracademy/gdpr/security-of-processing/
 Procedure for Corrective and Preventive Action

3. Internal audit
3.1. Purpose of internal audit

The purpose of internal audit is to determine whether procedures, controls, processes, arrangements
and other activities within the ISMS are in line with ISO 27001 standard, GDPR and other applicable
regulations, and the organization's internal documentation, whether they are effectively
implemented and maintained and whether they meet policy requirements and set objectives.

3.2. Internal audit planning

[Job title] approves an annual program for internal audits, written as outlined in the form in
Appendix 1.

One or more internal audits should be conducted in the course of one year, ensuring cumulative
coverage of the entire ISMS scope and all personal data processing activities. Internal audits are
planned based on risk assessment, as well as results of previous audits; they are usually conducted
before management review.

** END OF FREE PREVIEW **

To download full version of this document click here:

https://advisera.com/eugdpracademy/documentation/internal-audit-procedure/

Internal Audit Procedure ver [version] from [date] Page 3 of 3

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. www.advisera.com in accordance with the License
Agreement.