ISO 27001 Internal Audit

We conduct ISO 27001 internal audits - identifying nonconformities and preparing your organization for a successful certification audit.

More than a checkbox exercise

An ISO 27001 internal audit is a mandatory part of your information security management system - and that’s exactly why it deserves more than a formality. We conduct audits that genuinely show you where you stand, what’s working, and what needs improvement.

We don’t show up with a ready-made checklist. We come with an understanding of your business and experience from dozens of audits across organizations of different sizes and complexity.

Our approach

Audit planning

Every audit starts with a plan. We define the scope, criteria, and schedule tailored to your organization:

Reviewing your current Statement of Applicability (SoA) and audit history
Identifying priority areas based on your risk assessment
Aligning the schedule with your team - no unnecessary pressure
Developing an audit program covering all clauses from 4 to 10 and the applicable Annex A controls

Conducting the audit

We work on-site or remotely - whichever suits you best. The audit includes:

Interviews with key staff - from the IT team to senior leadership
Documentation review: policies, procedures, records, and evidence
Verification of technical controls - access, monitoring, encryption, backups
Evaluating whether processes are effective, not just whether they exist

The goal isn’t to “catch” you doing something wrong. The goal is to see the real picture before the certification auditor does.

Report and action plan

After the audit, you receive a clear, structured report:

A list of nonconformities - major and minor
Observations and recommendations for improvement
A concrete action plan with priorities and timelines
An assessment of your readiness for a certification or surveillance audit

We don’t leave you with a 50-page document and “Good luck!” We walk through everything we found with you and help you understand what’s urgent, what can wait, and what you’re already doing well.

When you need an internal audit

Before a certification audit - to make sure you’re ready and there won’t be any unpleasant surprises
Annually - ISO 27001 requires internal audits at planned intervals (clause 9.2)
Before a surveillance audit - to verify you’re maintaining the standard after initial certification
After significant changes - new infrastructure, acquisitions, changes in scope

If you already have an ISO 27001 ISMS in place, an internal audit is the natural next step. And if you’re still in the planning stage, a readiness audit will save you time and headaches down the road.

Why choose us

Hands-on experience - we’ve conducted dozens of internal audits in organizations ranging from 10 to 500+ employees
Independence - as external internal auditors, we have no conflict of interest and provide an objective assessment
Deep knowledge of the standard - we work with ISO 27001:2022 every day and keep up with evolving audit practices
We understand your business - we audit real processes, not just documentation

Next step

Not sure if your internal audit is truly effective? Let’s talk - we’ll look at your specific situation and tell you what we’d do differently.