What is an internal audit?

An internal ISO 27001 audit involves a detailed assessment of your organisation’s ISMS to ensure it complies with the standard's criteria. Unlike an external certification audit conducted by a certification body, an internal audit is carried out by employees who are independent of the ISMS and have expertise or qualifications in audits. Alternatively, you can also use an external service provider who can conduct these audits for you. 

The ISO 27001 internal audit examines your organisation’s Information Security Management System (ISMS). The assessment will identify areas that require attention, helping you to meet ISO 27001 requirements and enhance your organisation’s operations. Record these observations and analyse the audit results at regular management review meetings.

What is covered under ISO 27001 clause 9.2?

Performance evaluation is described in clause 9 of ISO 27001’s management standards. Further, clause 9.2 states that the organisation must conduct internal audits at predetermined (planned) intervals to assess whether the ISMS:  

• Complies with the organisation's own ISMS requirements 

• Meets the requirements of the ISO 27001 standard 

• Is implemented and maintained properly 

To meet those objectives, the Certification Body (CB) auditor who will be auditing you as part of the external audit will check whether:  

• An audit programme was planned, executed, and maintained 

• The audit criteria for each audit and scope were defined 

• It was made sure that audits were reported to the appropriate management 

• Documented information was kept as proof
  

You should also consider the following requirements to aid in being compliant to clause 9.2: 

• Auditors must be unbiased and impartial to the audit process, ensuring an objective review that meets high standards 

• Auditors can be internal or external, as long as they don’t audit areas they helped create or implement 

Internal audits are commonly outsourced to ensure expertise and maintain impartial, objective reviews. External experts support you on your way to ISO 27001 certification and beyond.

Why do organisations need to audit their ISMS?

Internal audits in line with ISO 27001 ensure that the ISMS and its procedures comply with the standard's criteria. The benefits of conducting an internal audit include: 

• Finding out about nonconformities before they can hinder you from passing the certification audit 

• Identifying areas requiring attention to provide a solid security posture to protect your organisation from a security incident 

• Educating management about the organisation’s current security level 

• Encouraging continuous improvement in the organisation’s information security efforts 

• An additional benefit is that an ISMS compliant with ISO 27001 covers about 70% of the requirements of the new NIS2 Directive.

ISO 27001 internal audit checklist

Navigate your internal audit process with this five-step checklist. 

1. Examining the documentation 

Start by reviewing the documentation prepared during your ISMS implementation. This ensures that the audit’s scope is aligned with your organisation, establishing clear outlines for what needs to be audited. 

Next, identify the key stakeholders of the ISMS. Having these contacts defined will make requesting any documents needed throughout the audit process easier. 

2. Consulting with management 

The audit activity starts to take shape at this point. Before drafting a thorough audit plan, consult with management to determine the audit's time frame and resources. 

Establishing goals on which you submit progress updates to the board is a common part of this. At this early stage, meeting with management allows both sides to express any issues. 

3. Field review

Typically, this will be the practical evaluation of your organisation. Organisational sectors identified as critical during the ISO 27001 risk assessment should be given more attention at first during the internal audit process. You will often need to:

• Talk to employees about how the ISMS works in practice (i.e. information regarding policies and procedures they should know and be following). 

• Validate evidence as it’s acquired by conducting audit tests 

• Complete audit reports to keep track of each test's outcomes 

Examine any ISMS papers, printouts, and other relevant information

4. Analysis

The evidence gathered during the audit should be processed and examined against your organisation’s risk treatment plan and control goals. This approach can reveal gaps in the evidence or indicate the need for further testing. 

5. Report

The audit findings must be recorded, typically in a report, and presented to management. The following items should be included in your ISO 27001 internal audit report: 

• The scope, objectives, and timeline of the work completed 

• The individuals who were part of the audit process and their role in the organisation 

• An executive summary including key findings, high-level analysis, and a conclusion 

• The report's intended recipients, along with categorisation and distribution guidelines, if applicable 

• An in-depth analysis of the results with conclusions and opportunities for improvement

• A statement outlining any scope suggestions or constraints 

The report usually includes management agreeing to an action plan. Therefore, more review and amendment may be required.