ISO 27001 internal audit

ISO27001 Internal Audit

ISO 27001 demands planned internal audits to ensure your Information Security Management System (ISMS) meets the requirements. 

Learn what an internal audit is, find out how to conduct one in your organisation and get a checklist to help you prepare for the process.

Start your certification journey

Content overview

What is ISO 27001?

What is an ISMS?

What is the ISO 27001 Certification?

What is the ISO 27001:2022 standard?

Why is ISO 27001 important? Why should I consider getting an ISO 27001 Certification?

Who needs ISO 27001 Certification?

How hard is it to get ISO 27001 certified? 

How long does it take to get certified? 

Does the ISO 27001 Certification expire? 

What are the benefits of getting ISO 27001 certified? 

What are the certification steps? What exactly do I need to do to get ISO 27001 certified? 

Conducting a risk assessment

Implementing controls and a risk treatment plan to mitigate risks? 

Documenting your ISMS

What is an ISO 27001 audit, and why is it important?

Conducting internal audits: How to go about it? 

How long does it take to get ready for an ISO 27001 external audit?

What you can expect at an external audit

What are the ISO 27001 controls? 

The costs of ISO 27001 Certification

Is the investment worth it?

How to get started with ISO 27001 Certification? 

What is an internal audit?

An internal ISO 27001 audit involves a detailed assessment of your organisation’s ISMS to ensure it complies with the standard's criteria. Unlike an external certification audit conducted by a certification body, an internal audit is carried out by employees who are independent of the ISMS and have expertise or qualifications in audits. Alternatively, you can also use an external service provider who can conduct these audits for you. 

The ISO 27001 internal audit examines your organisation’s Information Security Management System (ISMS). The assessment will identify areas that require attention, helping you to meet ISO 27001 requirements and enhance your organisation’s operations. Record these observations and analyse the audit results at regular management review meetings.

What is covered under ISO 27001 clause 9.2?

Performance evaluation is described in clause 9 of ISO 27001’s management standards. Further, clause 9.2 states that the organisation must conduct internal audits at predetermined (planned) intervals to assess whether the ISMS:  

  • Complies with the organisation's own ISMS requirements 

  • Meets the requirements of the ISO 27001 standard 

  • Is implemented and maintained properly 

To meet those objectives, the Certification Body (CB) auditor who will be auditing you as part of the external audit will check whether:  

  • An audit programme was planned, executed, and maintained 

  • The audit criteria for each audit and scope were defined 

  • It was made sure that audits were reported to the appropriate management 

  • Documented information was kept as proof

You should also consider the following requirements to aid in being compliant to clause 9.2: 

  • Auditors must be unbiased and impartial to the audit process, ensuring an objective review that meets high standards 

  • Auditors can be internal or external, as long as they don’t audit areas they helped create or implement 

Internal audits are commonly outsourced to ensure expertise and maintain impartial, objective reviews. External experts support you on your way to ISO 27001 certification and beyond.

Why do organisations need to audit their ISMS?

Internal audits in line with ISO 27001 ensure that the ISMS and its procedures comply with the standard's criteria. The benefits of conducting an internal audit include: 

  • Finding out about nonconformities before they can hinder you from passing the certification audit 

  • Identifying areas requiring attention to provide a solid security posture to protect your organisation from a security incident 

  • Educating management about the organisation’s current security level 

  • Encouraging continuous improvement in the organisation’s information security efforts 

  • An additional benefit is that an ISMS compliant with ISO 27001 covers about 70% of the requirements of the new NIS2 Directive.

ISO 27001 internal audit checklist

Five steps to a successful ISO 27001 internal audit. Ensure compliance and improve your security framework with our ISO 27001 internal audit checklist. Tailored to guide you through the key steps of auditing your ISMS. 

DG Seal ISO 27001

ISO 27001 internal audit checklist

Navigate your internal audit process with this five-step checklist. 

1. Examining the documentation 

Start by reviewing the documentation prepared during your ISMS implementation. This ensures that the audit’s scope is aligned with your organisation, establishing clear outlines for what needs to be audited. 

Next, identify the key stakeholders of the ISMS. Having these contacts defined will make requesting any documents needed throughout the audit process easier. 

2. Consulting with management 

The audit activity starts to take shape at this point. Before drafting a thorough audit plan, consult with management to determine the audit's time frame and resources. 

Establishing goals on which you submit progress updates to the board is a common part of this. At this early stage, meeting with management allows both sides to express any issues. 

3. Field review

Typically, this will be the practical evaluation of your organisation. Organisational sectors identified as critical during the ISO 27001 risk assessment should be given more attention at first during the internal audit process. You will often need to:

  • Talk to employees about how the ISMS works in practice (i.e. information regarding policies and procedures they should know and be following). 

  • Validate evidence as it’s acquired by conducting audit tests 

  • Complete audit reports to keep track of each test's outcomes 

Examine any ISMS papers, printouts, and other relevant information

4. Analysis

The evidence gathered during the audit should be processed and examined against your organisation’s risk treatment plan and control goals. This approach can reveal gaps in the evidence or indicate the need for further testing. 

5. Report

The audit findings must be recorded, typically in a report, and presented to management. The following items should be included in your ISO 27001 internal audit report: 

  • The scope, objectives, and timeline of the work completed 

  • The individuals who were part of the audit process and their role in the organisation 

  • An executive summary including key findings, high-level analysis, and a conclusion 

  • The report's intended recipients, along with categorisation and distribution guidelines, if applicable 

  • An in-depth analysis of the results with conclusions and opportunities for improvement

  • A statement outlining any scope suggestions or constraints 

The report usually includes management agreeing to an action plan. Therefore, more review and amendment may be required.

Vector-1

DataGuard helped us get ISO 27001 certified 50% faster.

Reece Couchman, CEO & founder @ The SaaSy People

100% of our users pass ISO 27001 certification first time

How often does your organisation need to conduct an internal audit? 

ISO 27001 doesn’t prescribe a specific frequency for internal audits. Instead, audits must be conducted at planned intervals based on the organisation's needs and risk environment. However, performing an internal audit at least annually is generally recommended to ensure ongoing compliance, identify potential improvements, and address any emerging risks. 

Many organisations might choose a more frequent schedule, such as quarterly or biannually, especially if they operate in high-risk industries, manage a broad ISMS scope, or face frequent changes in technology or regulatory requirements. The key is to establish an effective and manageable schedule. It should be documented in the ISMS audit plan and should consider the results of risk assessments and prior audits.

 

Conduct your internal audit with ease and comply effortlessly with ISO 27001 

Running an internal audit will benefit internal and external stakeholders, regardless of whether you want to achieve ISO 27001 certification. And we can help you conduct it. 

Our AI-powered platform helps you efficiently build your ISMS, reducing the manual work needed. Additionally, our experts are here to support you whenever needed and will assist you with your internal audit. If you choose to pursue the ISO 27001 certification, we’ll guide you through the entire process—with a 100% first-try pass rate. 

How can we help?Contact us.

(089) 8967 551 000
dg_seal_iso_2-0-3
dg_seal_tisax_2-0-3
dg_seal_gdpr_2-0-3

Products

Platform

Frameworks

Solutions

Resources

Company

English

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide Software-as-a-Service and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.