You need to run ISO 27001 internal audits regularly to ensure your Information Security Management System (ISMS) meets the ISO 27001 requirements.

Not just that. ISO 27001 internal audits are also a chance to reevaluate information security measures in your organisation. Are you minimising your exposure to cyber threats? If they do happen, do you have an incident response plan prepared?

This article explains what an internal audit is, how and why organisations should perform one, and a brief checklist to help you prepare for the process.

In this article:

 

What is an internal audit?

An internal ISO 27001 audit involves a detailed assessment of your organisation’s ISMS to ensure that it complies with the standard's criteria.

Unlike an external audit, it's carried out by your own employees, who will use the results to help shape the future of your ISMS. Clause 9.2 of ISO 27001 describes the requirements of an internal audit. Check our detailed guide on ISO 27001, which will provide you with a further understanding of the ISO 27001 certification, its costs, and how it helps organisations in the long run.

The ISO 27001 internal audit examines your organisation’s Information Security Management System (ISMS). An internal audit will identify areas that require attention, helping you to enhance your organisation’s operations.

You may find opportunities for improvement by seeing how things are done and comparing them to how they should be done. You should record these observations and analyse the audit results at regular management review meetings, which should happen between one and four times a year.

 

What is covered under ISO 27001 Clause 9.2?

Performance evaluation is clause 9 of ISO 27001:2013's management standards. 9.2 states that the organisation must conduct internal audits at predetermined intervals to determine whether the ISMS:

  • Complies with the organisation's own information security management system requirements.
  • Meets the requirements of the ISO 27001 international standard.
  • Whether the ISMS is installed and maintained properly.

In order to meet those objectives, the ISO auditor will check to verify if the organisation has completed the following:

  • Whether an audit programme was planned, executed, and maintained.
  • Whether the audit criteria for each audit and scope were defined
  • Whether auditors are chosen for their objectivity and impartiality.
  • Whether it was made sure that audits were reported to the appropriate management.
  • Whether documented information was kept as proof.

 

How can an organisation conduct internal audits on an ISMS to comply with ISO 27001?

An internal audit process ensures that an organisation has taken all necessary precautions to verify the efficiency of its ISMS against ISO 27001 requirements and the organisation's own ISMS criteria. Internal audits must be done by independent and unbiased auditors to achieve this, according to the Standard (ISO/IEC 27001:2022).

 

Why do organisations need to audit their ISMS?

Internal audits of ISO 27001 ensure that the ISMS and its procedures comply with the standard's criteria. The procedures must be performed efficiently once they are communicated to the employees and managers in order to have a swift and efficient process.

As the digital landscape evolves, organisations that align with ISO 27001's principles are also taking strides towards meeting the cybersecurity standards set by NIS2. The advantages of doing an internal audit include:

The advantages of doing an internal audit include:

  • Finding out about nonconformities before others do.
  • Identifying areas requiring attention to provide a solid security posture before a security event.
  • Demonstrating and educating management about your dedication.
  • Assisting employees in gaining a better grasp and awareness of the situation.
  • Encouraging continuous progress.

The objective of the audit, as stated above, is to identify any non-conformities, establish the effectiveness of the ISMS, and give the organisation a chance to improve.

 

ISO 27001 internal audit checklist

An organisation may use a five-step checklist to achieve the ISO 27001 internal audit criteria.

Examining the documentation 

Start by going over the documentation you prepared during the implementation of your ISMS. This is because the audit's scope should correspond with your organisation. As a result, clear limitations will be established for what has to be audited.

You should also identify the ISMS's major stakeholders. This will make it simple for you to request any paperwork needed throughout the audit.

Review of the management 

The audit activity starts to take shape at this point. Before drafting a thorough audit plan, consult with management to determine the audit's time frame and resources.

Establishing goals at which you will deliver intermediate updates to the board is a common part of this. At this early stage, meeting with management allows both sides to express any issues they may have.

Field review

Typically, this will be the practical evaluation of your organisation. You will need to:

  • Talk to front-line staff employees about how the ISMS works in practice. 
  • Validate evidence as it is acquired by conducting audit tests.
  • Complete audit reports to keep track of each test's outcomes.
  • Examine any ISMS papers, printouts, and other pertinent information.

Analysis

The evidence gathered during the audit should be processed and examined in light of your organisation’s risk treatment plan and control goals.

This approach may identify evidence gaps or highlight the necessity for more audit testing.

Report

The findings of the audit must be presented to management. The following items should be included in your ISO 27001 internal audit report: 

  • The scope, objectives, timeline, and scope of the work completed are all clarified in this introduction. 
  • An executive summary including key findings, high-level analysis, and a conclusion is included. 
  • The report's target recipients and categorization and dissemination rules, if applicable. 
  • An in-depth examination of the results. Conclusions and suggestions for improvement. 
  • A statement including suggestions or constraints on the scope of the project.

Because the final report usually includes management agreeing to an action plan, more review and amendment may be required.

How often does your organisation need to conduct an internal audit?

ISO 27001, like many other standards, does not define how often an organisation must conduct an internal audit.

This is because each organisation's ISMS is unique and must be addressed as such. An ISO 27001 internal audit should be performed at least once a year, according to experts. Although this may not always be practical, you should undertake an audit at least every three years.

Most ISO 27001 certification authorities verify an organisation's ISMS for this amount of time. This indicates that, beyond this stage, the organisation is likely to have gone out of compliance.

At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.

 

What are the ISO 27001 requirements for an internal audit?

Clause 9.2 of ISO/IEC 27001 specifies the internal audit requirements. Firstly, your organisation must keep in mind that the audit should not be a job that is restricted to one person or one team.

Implementing an audit process is an ongoing procedure that will be triggered at regular intervals or when there is a substantial change in the organisation rather than a one-time action to gain certification.

Auditors have to be selected once the audit procedure has been set up. When selecting auditors, ensure that they will be impartial and neutral. Identifying competent, unbiased, and objective auditor(s) for the purpose of achieving ISO 27001 criteria involves establishing requirements that would withstand any reprimand from other parties.

Internal individuals who are already auditors or those who are being trained to be auditors might be chosen as auditors. If you wish, you can seek outside assistance. You have complete freedom to choose as long as these persons are not evaluating anything they helped design or implement.

To protect the three pillars of internal auditing: expertise, objectivity, and impartiality, it is normal practice to outsource this job.

 

What is the ISO 27001 internal audit process?

Generally, a timetable or Gantt chart must be created before starting the ISO 27001 internal audit process, as this will help employees reserve their time accordingly and not during periods of high business activity.

This is especially important for organisations that are exposed to regulatory and customer audits on a frequent basis and wish to prevent 'audit fatigue.'

When conducting the audit, organisational sectors that are identified as important on the risk assessment report should be given more attention at first during the internal audit process. Similarly, if at all possible, avoid conducting lengthy audits of certain organisational sectors to prevent concerns that certain departments or activities are being singled out or ignored.

It is also important that the audit is recorded, usually in the form of a report that details who was contacted, what was said, and, most crucially, what evidence was discovered, as well as a summary of the results. It should also include:

  • Nonconformities identified, if any
  • Opportunities for improvement

The final internal audit report will provide important information to the management when it is under review by them, as the report will include data privacy concerns within the organisation and the overall security of the organisation's ISMS.

 

Get help to run your ISO 27001 internal audit for compliance and protection

Internal audit, as one of the most important management system processes, will benefit both internal and external stakeholders. And we can help you run it.

Maximise the effectiveness of your ISO 27001 internal audit with DataGuard’s ISO 27001 certification solution. Our platform offers a streamlined approach to ISMS setup, risk mitigation, and audit preparation, ensuring you’re audit-ready with significantly less effort and time. Got any questions? Feel free to book a consultation with one of our experts.

 
ISO 27001 Internal Audit Checklist 212x234 UK ISO 27001 Internal Audit Checklist 800x600 MOBILE UK

ISO 27001 INTERNAL AUDIT CHECKLIST

Five steps to a successful ISO 27001 internal audit. Ensure compliance and improve your security framework with our ISO 27001 internal audit checklist. Tailored to guide you through the key steps of auditing your ISMS.

Download your free guide

About the author

DataGuard Information Security Experts DataGuard Information Security Experts
DataGuard Information Security Experts

Tips and best practices on successfully getting certifications like ISO 27001 or TISAX®, the importance of robust security programmes, efficient risk mitigation... you name it! Our certified (Chief) Information Security Officers and InfoSec Consultants from Germany, the UK, and Austria use their year-long experience to set you up for long-term success. How? By giving you the tools and knowledge to protect your company, its information assets and people from common risks such as cyber-attacks. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional Europe (IAPP), ITIL® 4 Foundation Certificate for IT Service Management, ISO 27001 Lead Implementer/Lead Auditor/Master, Certificate in Information Security Management Principles (CISMP), Certified TickIT+ Lead Auditor, Certified ISO 9001 Lead Auditor, Cyber Essentials

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk