How to conduct an ISO 27001 internal audit

In order to maintain ISO 27001 compliance, your organisation will need to conduct regular internal audits. This can be tricky at the best of times, but particularly for organisations going through the process for the first time. Unlike the implementation of the Standard, there’s no checklist for what needs to go into an internal audit.

The good news is that, with a little research, it’s relatively easy to map your way to audit success. All you need to do is follow these five steps.

  1. Document review

You should begin by reading all the documentation created when you implemented your ISMS (information security management system). The audit’s scope should match that of the organisation, so reviewing your ISMS will set clear limits for what needs to be audited.

Auditors should also identify and contact the main stakeholders in the ISMS to request any documentation that will be reviewed during the audit.

It might also be worth doing additional research, such as looking at past ISMS reports (if applicable) or industry reports to find common problems.

  1. Audit plan

This is where the audit begins to take shape. Auditors and management should agree on the timing and resourcing for the audit, and create a detailed audit plan. This often includes ‘checkpoints’ that detail specific opportunities for auditors to provide informal interim updates to managers.

Auditors can raise concerns regarding access to information or people, and management can raise concerns regarding the audit process.

  1. Field review

This is what you might think of as the ‘audit proper’, as it’s where the practical assessment of the organisation takes place. Auditors will get a first-hand look at the whole company, talking to employees, checking equipment and observing how the ISMS works in practice.

This stage also includes the review of ISMS documents, printouts and other relevant data.

Audit tests will need to be performed to validate evidence as it’s gathered, as well as audit work papers documenting the results of each test.

  1. Analysis

The evidence collected in the audit should be sorted and reviewed in relation to the risks and control objectives. Occasionally, the analysis might reveal gaps in the evidence or indicate the need for more audit tests.

  1. Report

The findings of the audit should be presented to management, and include:

  • An introduction clarifying the scope, objectives, timing and extent of the work performed;
  • An executive summary covering the key findings, a brief analysis and a conclusion;
  • The intended recipients of the report and, where appropriate, guidelines on classification and circulation;
  • An in-depth analysis of the findings;
  • Conclusions and recommendations; and
  • A statement from the auditor detailing recommendations or scope limitations.

Further review and revision might be needed, because the final report typically involves management committing to an action plan.

Want expert guidance?

Organisations often find internal audits overwhelming, so they turn to third parties, such as our ISO 27001 Internal Audit Service. This takes the hassle out of the process, with our ISO 27001 experts coming to your organisation, performing all the necessary work and providing you with recommendations for improvements.

This service isn’t appropriate for all organisations, but there is still plenty of help available. Those that perform the internal audit themselves typically find that the biggest challenge isn’t the audit itself but interpreting the findings – particularly reviewing the organisation’s policies and procedures.

These documents need to be tailored to the organisation’s needs, and those needs can quickly change. Auditors need to keep a keen eye on each policy and procedure, making sure it is suitable for the organisation and meets the Standard’s requirements.

You can get help with this process by using our ISO 27001 ISMS Documentation Toolkit. Developed by expert ISO 27001 practitioners and enhanced by more than ten years of customer feedback and continual improvement, it contains a customisable scope statement as well as templates for every document you need to implement or maintain an effective ISO 27001-compliant ISMS.

ISO 27001 internal audit

Example of the Internal Audit Procedure template included in the ISO 27001 ISMS Documentation Toolkit


The toolkit contains:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Take a free trial >>