Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations.
Independence is the overriding factor in auditing of all forms. For internal auditing, it’s not just a question of who the auditors report to and their freedom to ‘say what needs to be said’ (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term ‘cultural’ issues that are part of the fabric in any established organization. That’s hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at least, not entirely the same one!
ISO/IEC 27001 recommends both management reviews and internal audits. The people you have mentioned may well be technically qualified to do both but (especially without appropriate experience/training, management support and the independent, critical perspective I’ve mentioned) they may not do so well at auditing as, say, consultants. The decision is a business issue for you and your management: do the benefits of having a truly independent and competent audit outweigh the additional cost? Or do you think your own people would do it well enough at lower cost?
As the customer, you get to specify exactly what you want the consultants to bid for. A very tightly scoped and focused internal audit for a relatively small and simple ISMS might only take a day or two of consulting time, keeping the costs down. On the other hand, they will be able to dig deeper and put more effort into the reporting and achieving improvements if you allow them more time for the job – again, a management decision, worth discussing with potential consultants.
One strategy you might consider is to rotate the internal audit responsibility among your own people, having different individuals perform successive audits. That way, although they are not totally independent, they do at least have the chance to bring different perspectives to areas that they would not normally get involved in. It would help to have a solid, standardized audit process though, so each of the auditors is performing and reporting the audit work in a similar way … and to get you started and set that up, you might like to engage a consultant for the first audit, designing and documenting the audit process, providing checklist and reporting templates etc., and ideally training up one or more of your own people to take the lead on the next audit (like a relay race, passing the baton down the line).
Another possibility is to send one or more of your people on a training course for internal auditing, perhaps one of the ISO27k/ISMS-specific Lead Auditor courses. Although I believe the LA courses only cover compliance or certification auditing, they do at least teach the concepts and processes that are much the same for internal audits. Personally, I would recommend ISACA’s CISA instead, as it is more suited to IT auditing in general.
Yet another potential approach is to ask appropriate newcomers to the organization (management level, probably) to do your audits. They would need support and guidance on the audit process, but they would at least be free of the baggage that existing employees carry! On top of that, it would be an excellent way to introduce them to all of management, giving them a view across the whole enterprise – a jump start if you like.
Oh and here’s one more option. How about ‘swapping’ with a partner organization: you audit them and they audit you? Obviously you’d need to be careful about the confidentiality, trust and commercial aspects, and you’d still have to be careful about the competence of the individuals doing the work, but it might work out conveniently for both parties, with the added advantage of perhaps sharing good practises between you.
The beauty of ISO27k is that you have plenty of latitude on how to manage information security, even within the constraints of '27001 certification, so you can be quite creative with how your ISMS is designed. At the end of the day, it is your ISMS and your information at risk, so do whatever is best for your business. That’s even more important than being certified compliant!