How to conduct an ISO 27001 internal audit

To maintain compliance with ISO IEC 27001 (ISO 27001), you need to conduct regular internal audits.

An ISO 27001 internal audit will check that your ISMS (information security management system) still meets the requirements of the ISO 27001 standard.

Regular audits can be beneficial, since they enable continual improvement of your framework.

The ISMS audit process can pose a challenge, though. This is because unlike ISO 27001 implementation, there is no formal internal audit methodology to follow.


Get started with your ISO 27001 audit plan

To help you achieve ISMS internal audit success, we have developed a five-step checklist that organisations of any size can follow.


1) Documentation review

You should begin by reviewing the documentation you created when implementing your ISMS.

This is because the audit’s scope should match that of your organisation.

Therefore, doing so will set clear limits for what needs to be audited.

You should also identify the main stakeholders in the ISMS.

This will allow you to easily request any documentation that might be required during the audit.


2) Management review

This is where the audit really begins to take shape.

Before creating a detailed audit plan, you should liaise with management to agree on timing and resourcing for the audit.

This will often involve establishing set checkpoints at which you will provide interim updates to the board.

Meeting with management at this early stage allows both parties the opportunity to raise any concerns they may have.


3) Field review

This is what you might think of as the ‘audit proper’. It is at this stage when the practical assessment of your organisation takes place.

You will need to:

  • Observe how the ISMS works in practice by speaking with front-line staff members.
  • Perform audit tests to validate evidence as it is gathered.
  • Complete audit reports to document the results of each test.
  • Review ISMS documents, printouts and any other relevant data.

4) Analysis

The evidence collected in the audit should be sorted and reviewed in relation to your organisation’s risk treatment plan and control objectives.

Occasionally, this analysis may reveal gaps in the evidence or indicate the need for more audit tests.


5) Report

You will need to present the audit’s findings to management. Your report should include:

  • An introduction clarifying the scope, objectives, timing and extent of the work performed.
  • An executive summary covering the key findings, a high-level analysis and a conclusion.
  • The intended recipients of the report and, where appropriate, guidelines on classification and circulation.
  • An in-depth analysis of the findings.Conclusions and recommended corrective actions.
  • A statement detailing recommendations or scope limitations.

Further review and revision might be needed, because the final report typically involves management committing to an action plan.


Need help with your ISO 27001 audit?

At IT Governance, we’re serious about security.

Our unique combination of technology, methodology and expertise will give you the peace of mind that your organisation is secure and compliant.

You can take the hassle out of the audit process and save time and money with our market-leading ISO 27001 ISMS Documentation Toolkit.

Developed by expert ISO 27001 practitioners, it contains a customisable scope statement as well as templates for every document you need to implement and maintain an ISO 27001-compliant ISMS.

The ISO 27001 ISMS Documentation toolkit includes a template of the internal audit procedure.


A version of this blog was originally published on 18 July 2018.