5 Steps to a Successful ISO 27001 Audit + Checklist

A key component of ISO 27001 compliance is regular internal audits. 

This helpful audit ensures that your Information Security Management System (ISMS) is not only in compliance with the ISO 27001 standard, but that it’s also effective in maintaining information security for your organization.

To help you develop your own internal audit program, we’ve broken down the requirements of the internal audit and compiled a checklist to help you streamline the process. 

What is an ISO 27001 audit?

An ISO 27001 internal audit is a requirement of the ISO 27001 standard (detailed in Clause 9.2) that instructs an organization to examine if their ISMS meets the standard’s requirements. 

Unlike the certification audit, an internal audit can be conducted by your own staff. These audits must be conducted on a regular basis and must document the audit process. 

It’s important that the individual (or individuals) conducting the internal audit are impartial and are not auditing functions or processes that they manage or helped create. If your organization doesn’t have anyone who fits this criteria, you can recruit an external auditor to help you complete the audit.

What are the ISO 27001 audit types?

An internal audit is just one type of ISO 27001 audit, but it is the only audit type that is not carried out by a certification body. 

Internal audits

ISO 27001 requires organizations to plan and conduct internal audits in order to prove compliance. These audits are meant to review and assess the effectiveness of the company’s ISMS. 

These are carried out by an organization’s own internal audit team. If a business doesn’t have an internal auditor they can use an outside party. These audits are called a “second-party audit.” 

Certification audit

The certification audit is conducted by a certification body, and if you prove compliance, you will receive a certificate of compliance that’s valid for three years. During those three years, you’re obligated to maintain your ISMS and the processes, ISO 27001 controls, and requirements that helped you achieve compliance. 

This is the only type of ISO 27001 audit that is conducted only once, when you are first awarded your certificate of compliance. 

Recertification audits 

After those three years have passed, your organization will need to undergo a recertification audit where you will provide evidence proving continuous compliance and proof of ongoing ISMS improvement. 

Surveillance audits

After achieving certification, you must schedule surveillance audits with a certification body. These audits are performed in years one and two after your certification audit and before your recertification audit. 

These audits include:

• All clauses in the ISO 27001 framework
• Annex A requirements, which are divided between years one and two after your certification audit (your auditor will determine how the requirements are split) 
• Review of prior nonconformities found in the initial certification audit to determine whether they were remediated properly

Certification audit vs. internal audit: How are they different?

The main difference between certification audits and internal audits lies in the objectives included within the ISO 27001 standard. 

ISO 27001 states that internal audits are meant to:

1. Confirm that the ISMS conforms to the organization’s own requirements for information security management
2. Confirm that the ISO 27001 standard is effectively implemented and maintained

ISO 27001 states that the certification audits are meant to:

1. Confirm that the organization adheres to its own policies, objectives, and procedures
2. Confirm that the ISMS conforms to all ISO 27001 standard requirements and is achieving the organization's policy objectives 

The internal audit focuses on the effectiveness of the ISMS, however that might look within your company. The certification audit is used to test conformity of an ISMS against the ISO 27001 requirements. 

Why are ISO 27001 audits important?

Internal audits are important because the ISO 27001 standard requires them. Clause 9.2 of the standard mandates a program of internal audits in order to prove an ISMS is in compliance and working effectively. 

Beyond being a requirement, internal audits provide companies with a variety of benefits. These include:

• Peace of mind that your ISMS is adequately implemented and meets the standard’s requirements
• Assurance that your ISMS is effective in reducing information security risks
• Knowledge that nonconformities are addressed in a timely manner
• Detailed documentation of information security weaknesses, events, and incidents that can help inform improvements and changes to strengthen the ISMS
• Discovery of nonconformities (and the chance to remediate them) before a certification body does 
• Commitment to continuous improvement

How to conduct an internal ISO audit in 5 steps

Internal ISO audits are customizable to fit the particular needs and requirements of your organization. We’ve outlined a few of the core steps to complete an internal ISO 27001 audit below.

1. Document review

First things first: Your designated auditor (whether internal or external) should review the documentation of how the ISMS was created. This will help to set the scope of the internal audit to match that of the ISMS, since that’s what the internal audit covers. 

The documentation should also identify the key individuals responsible for the controls and processes of the ISMS. This will help the auditor should they need to request more information about ISMS specifics. 

2. Planning and preparation

During this phase, management and the auditor(s) should create a detailed ISO 27001 internal audit checklist of what needs to be done. Consideration should be given to the resources needed to complete the audit as well as the time frame. 

3. Fieldwork

Fieldwork is the proper audit process where the ISMS will be tested, observed, and reported on. During this phase, your audit team will interview employees and observe how the ISMS is implemented throughout the company. 

4. Analysis

The audit evidence should be sorted, filed, and reviewed in relation to the risks and control objectives set by your organization and the ISO 27001 standard. 

Once the evidence has been collected, it must be sorted and reviewed against the ISO 27001 standard. This process may reveal gaps in evidence collection and require the need for additional audit tests. 

5. Report to management

Once the fieldwork tests have been completed, your audit team will deliver a report to management. Results should be maintained as a record of performance and proof that your company is in compliance with the standard’s ISMS requirements. 

This report typically includes:

• An introduction that clarifies the scope, objectives, time frame, and summary of the work performed 
• An executive summary of key findings, brief analysis, and conclusion 
• Detailed findings and analysis 
• Statement from the auditor(s) detailing recommendations and scope limitations

Once the report has been handed over to management, they are responsible for tracking the correction of nonconformities found during the audit.

ISO 27001 audit checklist 

We’ve created a simple five-step ISO 27001 audit checklist to help you understand the tasks required to complete an ISO 27001 internal audit. You can download the PDF below. 

How Secureframe can help you complete an ISO internal audit

Oftentimes, organizations do not have anyone on staff qualified to complete an internal audit who is also not directly tied to the creation and maintenance of the ISMS. 

When this happens, it’s crucial to find an external auditor to help you complete the internal audit. Secureframe can help by matching you with an auditor that not only knows your industry, but also understands the standard inside and out. 

This will help you to efficiently and effectively assess your ISMS prior to the certification process. 

To learn more about how Secureframe can help streamline the ISO 27001 certification process, schedule a demo today.