How to Conduct an ISO 27001 Internal Audit

Congrats! You’ve achieved ISO 27001 certification, which is no easy feat. But now you’ve got to maintain certification — and that means conducting regular internal audits. 

An ISO 27001 internal audit is exactly what it sounds like: an audit that your organization conducts internally to assess whether your information security management system (ISMS) still satisfies the ISO 27001 standard. 

This article walks you through how to conduct an internal audit that satisfies ISO 27001 requirements. Learn how often you should conduct an internal audit, the steps for completing one, and get an ISO 27001 internal audit checklist to simplify the process. 

What is an ISO 27001 internal audit?

Unlike the certification review, which is completed by an accredited external auditor, the internal audit is conducted by your own employees. The results of these internal audits will help you improve the ISMS over time and ensure it still satisfies the requirements for ISO 27001 certification.

The ISO/IEC 27001 standard lays out the requirements for an internal audit in clause 9.2. This clause requires that internal audits: 

• Are conducted at planned intervals 
• Determine whether the ISMS meets the organization's own standards as well as ISO 27001 requirements
• Are documented as part of a formal audit program
• Are completed by an independent and impartial internal auditor (in other words, not by someone who has a level of operational control or ownership over the ISMS, or who was involved in its development)
• Include audit results that are reported to management and retained as part of the organization’s records 

While the standard does not specify how often an internal audit must be performed, our ISO 27001 experts recommend conducting an internal audit at least annually.

Why complete an internal ISMS audit?

Regular ISO 27001 internal audits encourage organizations to be proactive when it comes to maintaining the ISMS. An internal audit program also helps organizations:

• Promote a strong security posture by identifying nonconformities and vulnerabilities before a security incident occurs
• Conduct regular risk assessments and monitor any new information security risks
• Communicate changing security requirements or information security policies to employees and stakeholders
• Ensure staff remain aware of their roles and responsibilities pertaining to the ISMS
• Identify opportunities for continual improvement of the ISMS

The ISO 27001 internal audit process

Step 1: Define the scope of your internal audit

The first step in your internal audit is to create an audit plan. You’ll need to establish which information systems and assets should be included in the assessment. Confirm which ISO 27001:2013 clauses and Annex A controls are relevant to your certification audit (a Statement of Applicability is helpful here).

Next, you need to identify an internal auditor to conduct the assessment. This person is typically selected by management or the board of directors. ISO 27001 requires the internal auditor to be impartial, so it should be someone who isn’t involved with the creation, implementation, or day-to-day operation of the ISMS.

Step 2: Evidence collection & document review

The internal auditor will need to review your information security policies and the controls you’ve put in place to safeguard your ISMS. Here are a few examples of the documentation you will likely need:

• ISMS Scope Statement: This document defines the information and processes your ISMS is designed to protect.
• ISMS Statement of Applicability: This statement explains which Annex A security controls are — or aren’t — applicable to your organization’s ISMS.
• Information Security Policy: This policy provides a high-level overview of how the organization approaches information security. 
• ISO 27001 Risk Assessment and Risk Treatment Plan: These documents identify organizational risks, determine the likelihood and impact of each risk, and outline how the organization will respond to each risk. 
• ISMS management review meeting minutes: The management review ensures the ISMS is aligned with the organization’s purpose, objectives, and risks. 
• ISMS Corrective Action Report/Gap Analysis: Explains how the organization will address vulnerabilities and nonconformities and improve the ISMS.
• Business Continuity Policy: This document outlines how your organization will continue to deliver critical services and restore key business functions in the event of an unplanned disruption. 

Step 3: Conduct the internal audit 

Now it’s time for the internal auditor to begin their assessment. They’ll review documentation and controls, conduct interviews with control owners, and observe operational procedures in action. All of this will inform the auditor’s assessment of whether your organizational objectives are being met and are in line with the requirements of ISO 27001. It will also help them identify any gaps that need to be closed before the next certification audit. 

Step 4: Create the internal audit report

Just like with an external audit, the internal audit will produce a final report. This is where the internal auditor summarizes their findings, including any non-conformities and action items. The internal audit report should include:

 Your ISO 27001 internal audit report should include:

• An introduction that summarizes the audit scope, objectives, timeline, and assessments.
• An executive summary that explains the audit’s key findings.
• Guidance on who should review the report and whether the information it contains should be classified.
• A detailed analysis of the audit findings, including any recommendations and corrective actions.
• A statement explaining any limitations to the audit scope.

Step 5: Management review 

The internal auditor will present the audit findings to management and interested parties, share any major and/or minor non-conformities they identified, and discuss opportunities to improve the ISMS. This management review will also inform whether the organization is ready for an ISO 27001 stage 2 certification audit. 

ISO 27001 internal audit template

Every organization’s ISO 27001 internal audit is as unique as its ISMS. That said, an internal audit checklist can be an incredibly useful addition to your ISO 27001 toolkit. 

This internal audit template lists each clause and Annex A control in a spreadsheet format to guide your internal auditor through the standard’s requirements. Identify control/risk owners, keep evidence documents organized, and easily identify any gaps or redundancies. 

Streamline your ISO 27001 internal audits with Secureframe

Our compliance automation platform simplifies the internal audit process and generates an ISO 27001 readiness report. You’ll be able to see all of your policies and documentation in one place and automatically collect evidence for internal review. See exactly how close you are to satisfying ISO 27001 requirements and get actionable advice for closing any gaps. Request a demo to learn more about how we streamline ISO 27001 implementation.