Auditing, how to audit NEN 7510 - ISO 27001

Auditing. An audit is a systematic periodic check that is carried out by an auditor. Called 'auditing' for short. The NEN 7510 and ISO 27001 standards focus on information security. They set requirements for the management system that has been implemented for the availability, integrity and confidentiality of information. An auditor NEN 7510 and ISO 27001 must therefore determine during an internal or external audit whether all information security requirements are met. In addition to the requirements aimed at the PDCA cycle, these standards also have specific requirements. In ISO 27001 this is the Annex A. In NEN 7510 this is a separate part: NEN 7510 - 2. 

Please note that ISO 27001 has changed - ISO 27001:2022. And the NEN7510 follows. A draft NEN7510:2024 has already been published! Our colleagues at Meta-audit.nl are happy to explain:
- ISO 27001:2022 vs ISO 27001:2013
- ISO 27001:2022 step-by-step plan

Audit framework

An audit is an activity that identifies the risks or shortcomings in a process or organization. Does a process or organization comply with this frame of reference? With NEN 7510 and ISO 27001, the frame of reference is very extensive. There is then soon a framework, an overview of all relevant control measures.
The auditor who carries out the audit must ensure that all relevant control measures are assessed in the framework. An audit frequency can be determined on the basis of a risk assessment, but all control measures must be assessed throughout the audit period.

It gives a lot of overview if the framework indicates the following process steps:

1. In preparation
   An agenda is drawn up for the specific audit on the basis of a previously drawn up audit programme. What is covered and what is not. The management system or a selection of the control measures are reviewed and the results of the previous audits are examined. Have all improvements been implemented effectively?
    
2. In progress
   During the audit, the auditor examines whether the organization or process meets the requirements of a standard based on evidence. To this end, the auditor collects information such as documents and registrations and assesses operational (monitoring) systems. In addition, information can be obtained through auditor observations and interviews with employees. The auditor checks and assesses the information. Can it be shown that the auditee says what he does, and that he does what you say?
    
3. Round
   All findings, deviations from the standard or suggestions for improvement are collected and recorded in an audit report. Discussed topics, points of attention and shortcomings are described in this and these are discussed with the auditee. Corrective actions are also recorded. There should be no ambiguity about the facts. The auditor must approve the improvement plans.
    
4. Improvement plan needed
   If corrective actions have been proposed in the audit report, the auditee should draw up an improvement plan and implement it later. In a subsequent audit, for example a repeat audit, it can then be assessed whether these corrective measures have actually been implemented.

A very specific process. For the content side, we therefore rely on our business partners at meta-audit.nl. 

Audit tooling

On the IT side, developments are moving fast. For example, an audit framework can be set up, in which the progress and completeness can be seen immediately.

Take a look at this overview of 'standard' functionalities of a digital management system, set up for audits.
(Just for fun, put this Infoware system online in 60 seconds as a test....)

For those who are still 'fighting' with loose documents, long lead times or unclear progress ....  
Get our cloud solution Infoware, a software tool for management systems, ready in 60 seconds. And spot the differences...