ISO 27001 Internal Audit

More than a checkbox exercise

An ISO 27001 internal audit is a mandatory part of your information security management system - and that’s exactly why it deserves more than a formality. We conduct audits that genuinely show you where you stand, what’s working, and what needs improvement.

We don’t show up with a ready-made checklist. We come with an understanding of your business and experience from dozens of audits across organizations of different sizes and complexity.

Our approach

Audit planning

Every audit starts with a plan. We define the scope, criteria, and schedule tailored to your organization:

• Reviewing your current Statement of Applicability (SoA) and audit history
• Identifying priority areas based on your risk assessment
• Aligning the schedule with your team - no unnecessary pressure
• Developing an audit program covering all clauses from 4 to 10 and the applicable Annex A controls

Conducting the audit

We work on-site or remotely - whichever suits you best. The audit includes:

• Interviews with key staff - from the IT team to senior leadership
• Documentation review: policies, procedures, records, and evidence
• Verification of technical controls - access, monitoring, encryption, backups
• Evaluating whether processes are effective, not just whether they exist

The goal isn’t to “catch” you doing something wrong. The goal is to see the real picture before the certification auditor does.

Report and action plan

After the audit, you receive a clear, structured report:

• A list of nonconformities - major and minor
• Observations and recommendations for improvement
• A concrete action plan with priorities and timelines
• An assessment of your readiness for a certification or surveillance audit

We don’t leave you with a 50-page document and “Good luck!” We walk through everything we found with you and help you understand what’s urgent, what can wait, and what you’re already doing well.

When you need an internal audit

• Before a certification audit - to make sure you’re ready and there won’t be any unpleasant surprises
• Annually - ISO 27001 requires internal audits at planned intervals (clause 9.2)
• Before a surveillance audit - to verify you’re maintaining the standard after initial certification
• After significant changes - new infrastructure, acquisitions, changes in scope

If you already have an ISO 27001 ISMS in place, an internal audit is the natural next step. And if you’re still in the planning stage, a readiness audit will save you time and headaches down the road.

Why choose us

• Hands-on experience - we’ve conducted dozens of internal audits in organizations ranging from 10 to 500+ employees
• Independence - as external internal auditors, we have no conflict of interest and provide an objective assessment
• Deep knowledge of the standard - we work with ISO 27001:2022 every day and keep up with evolving audit practices
• We understand your business - we audit real processes, not just documentation

Next step

Not sure if your internal audit is truly effective? Let’s talk - we’ll look at your specific situation and tell you what we’d do differently.

Related reading

• PDCA for ISO 27001: The Improvement Cycle
• ISO 27001 Documentation: What You Need
• ISO 27001 Certification: Is It Worth It?