Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 31584
CyberSecurity Malaysia: Towards Becoming a National Certification Body for Information Security Management Systems Internal Auditors

Authors: M. S. Razana, Z. W. Shafiuddin


Internal auditing is one of the most important activities for organizations that implement information security management systems (ISMS). The purpose of internal audits is to ensure the ISMS implementation is in accordance to the ISO/IEC 27001 standard and the organization’s own requirements for its ISMS. Competent internal auditors are the main element that contributes to the effectiveness of internal auditing activities. To realize this need, CyberSecurity Malaysia is now in the process of becoming a certification body that certifies ISMS internal auditors. The certification scheme will assess the competence of internal auditors in generic knowledge and skills in management systems, and also in ISMS-specific knowledge and skills. The certification assessment is based on the ISO/IEC 19011 Guidelines for auditing management systems, ISO/IEC 27007 Guidelines for information security management systems auditing and ISO/IEC 27001 Information security management systems requirements. The certification scheme complies with the ISO/IEC 17024 General requirements for bodies operating certification systems of persons. Candidates who pass the exam will be certified as an ISMS Internal Auditor, whose competency will be evaluated every three years.

Keywords: ISMS internal audit, ISMS internal auditor, ISO/IEC 17024, Competence, Certification.

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1221


[1] ISO E. 19011. Guidelines for auditing management systems. 2011.
[2] Common Nonconformities. Available:
[3] Top 3 Major Non-Conformities in ISO27001.
[4] M. Schelker, "Auditor expertise: Evidence from the public sector." Economics Letters, 116(3), 2012, pp. 432-435.
[5] D. Getie Mihret, D. and A. Wondim Yismaw, "Internal audit effectiveness: an Ethiopian public sector case study." Managerial Auditing Journal, 22(5), 2007, pp. 470-484.
[6] ISO/IEC E. 27000. Information security management systems-Overview and vocabulary. 2014.
[7] ISO/IEC 27007. Guidelines for information security management systems auditing. 2011.
[8] Department of Standards Malaysia Accreditation Statistics. Available: