Is documentation of internal audit procedures required by ISO 27001?

ISO 27001 emphasizes the importance of an Information Security Management System (ISMS), which includes conducting internal audits as part of the continual improvement process. According to the standard, documentation should support the implementation and operation of the ISMS, but it does not stipulate that specific internal audit procedures must be formally documented in a prescribed manner.

Instead, the standard requires organizations to define processes for conducting audits but allows flexibility in how this documentation is created and maintained. The emphasis is on the effectiveness of audits rather than on the existence of specific documentation. Organizations can tailor their internal audit processes based on their size, complexity, and specific information security risks.

Thus, while it is encouraged to have some form of documentation to support the audit process, the standard does not mandate detailed documentation of internal audit procedures, which is why the claim that documentation is not required aligns with the principles outlined in ISO 27001.