ISO 27001 Compliance Kit
Simplify your certification with policy templates, readiness checklists, and more free resources.
Congrats! You’ve achieved ISO 27001 certification, which is no easy feat. But now you’ve got to maintain certification — and that means conducting regular internal audits.
An ISO 27001 internal audit is exactly what it sounds like: an audit that your organization conducts internally to assess whether your information security management system (ISMS) still satisfies the ISO 27001 standard.
This article walks you through how to conduct an internal audit that satisfies ISO 27001 requirements. Learn how often you should conduct an internal audit, the steps for completing one, and get an ISO 27001 internal audit checklist to simplify the process.
Unlike the certification review, which is completed by an accredited external auditor, the internal audit is conducted by your own employees. The results of these internal audits will help you improve the ISMS over time and ensure it still satisfies the requirements for ISO 27001 certification.
The ISO/IEC 27001 standard lays out the requirements for an internal audit in clause 9.2. This clause requires that internal audits:
While the standard does not specify how often an internal audit must be performed, our ISO 27001 experts recommend conducting an internal audit at least annually.
Simplify your certification with policy templates, readiness checklists, and more free resources.
Regular ISO 27001 internal audits encourage organizations to be proactive when it comes to maintaining the ISMS. An internal audit program also helps organizations:
The first step in your internal audit is to create an audit plan. You’ll need to establish which information systems and assets should be included in the assessment. Confirm which ISO 27001:2013 clauses and Annex A controls are relevant to your certification audit (a Statement of Applicability is helpful here).
Next, you need to identify an internal auditor to conduct the assessment. This person is typically selected by management or the board of directors. ISO 27001 requires the internal auditor to be impartial, so it should be someone who isn’t involved with the creation, implementation, or day-to-day operation of the ISMS.
The internal auditor will need to review your information security policies and the controls you’ve put in place to safeguard your ISMS. Here are a few examples of the documentation you will likely need:
Now it’s time for the internal auditor to begin their assessment. They’ll review documentation and controls, conduct interviews with control owners, and observe operational procedures in action. All of this will inform the auditor’s assessment of whether your organizational objectives are being met and are in line with the requirements of ISO 27001. It will also help them identify any gaps that need to be closed before the next certification audit.
Just like with an external audit, the internal audit will produce a final report. This is where the internal auditor summarizes their findings, including any non-conformities and action items. The internal audit report should include:
Your ISO 27001 internal audit report should include:
The internal auditor will present the audit findings to management and interested parties, share any major and/or minor non-conformities they identified, and discuss opportunities to improve the ISMS. This management review will also inform whether the organization is ready for an ISO 27001 stage 2 certification audit.
Every organization’s ISO 27001 internal audit is as unique as its ISMS. That said, an internal audit checklist can be an incredibly useful addition to your ISO 27001 toolkit.
This internal audit template lists each clause and Annex A control in a spreadsheet format to guide your internal auditor through the standard’s requirements. Identify control/risk owners, keep evidence documents organized, and easily identify any gaps or redundancies.
Our compliance automation platform simplifies the internal audit process and generates an ISO 27001 readiness report. You’ll be able to see all of your policies and documentation in one place and automatically collect evidence for internal review. See exactly how close you are to satisfying ISO 27001 requirements and get actionable advice for closing any gaps. Request a demo to learn more about how we streamline ISO 27001 implementation.