Everything to Know About ISO 27001 Internal Audits

Satya Moutairou

29 Mar 2023

When a restaurant expects an inspection from the Health Department, management takes a number of steps to prepare. The team needs to understand what the inspector will look for and take proactive measures to address any obvious concerns. This involves cleaning, scrubbing, and being on best behavior. 

Conducting an ISO 27001 internal audit is like preparing for a health department inspection. An internal audit analyzes an organization’s information security management to find vulnerabilities. The organization can then address issues internally before an external auditor arrives for ISO 27001 certification inspection. 

Before teams can perform an audit, they must understand the steps and requirements in detail, as well as the required resources, cost, and timeline. 

  • What is an ISO 27001 internal audit? 
  • How to Conduct an ISO 27001 Internal Audit
  • ISO 27001 Internal Audit Requirements
  • ISO 27001 Compliance 
  • ISO 27001 Internal Audit FAQs

What is an ISO 27001 internal audit? 

An ISO 27001 internal audit is the process of internally analyzing an organization’s Information Security Management System (ISMS) prior to an external ISO audit. The goal of an internal ISO 27001 audit program is to identify and resolve gaps or deficiencies in the ISMS that could impact the company’s annual ISO 27001 certification audit.

This internal audit is a requirement under the ISO 27001 standard. Companies can elect to perform the audit with internal team members or hire a third-party consulting firm. If an internal team member conducts the audit, it is crucial that they are independent from the controls they review.

Internal audit results should be shared with the organization’s ISMS governing body and senior leadership to address identified issues before the external audit. 

How to conduct an ISO 27001 internal audit

There are many facets and preventative measures to consider when devising an ISO 27001 internal audit plan. Audit stakeholders, including CISOs, GRC & security teams, and possibly HR and sales leaders, should ensure everyone is on the same page from the beginning for a more streamlined audit process—and better results. 

Selecting the Right ISO 27001 Internal Auditor 

Deciding whether to use internal employees or hire a third-party professional is an important step in the ISO 27001 internal audit process. In either case, it’s critical to ensure the ISO 27001 internal auditor is objective and impartial. 

The auditor should not have implemented or currently operate or monitor any controls covered in the audit. Auditors should be qualified and have expertise in the ISO 27001 standard and auditing processes.

ISO 27001 Internal Audit Checklist  

Organizations will be more likely to meet ISO 27001 requirements by following the audit process detailed in this ISO internal audit checklist, which includes steps for how to prepare for ISO audits: 

  1. Comprehensive document review: Review the documentation that describes security policies and controls related to the ISMS. Examples of documentation to review during this step include: 
    1. ISMS Scope Statement
    2. ISMS Statement of Applicability
    3. Information Security Policy 
    4. ISO 27001 Risk Assessment and Risk Treatment Plan
    5. ISMS Corrective Action Report and/or Gap Analysis 
    6. ISMS management review meeting minutes 
    7. Business Continuity Policy 
  2. Agree on timing and internal resource allocation: Establish project milestones and timing for when stakeholders will receive updates, and ensure participating team member managers are on board.   
  3. Monitor the ISMS: Observe how the ISMS works and speak with employees about their pain points. 
  4. Perform audit tests: Validate evidence as it’s gathered through audit tests.
  5. Report on test results: Complete detailed audit reports documenting the results of each audit test. 
  6. Finalize the analysis: Evidence collected through the audit should be sorted and reviewed in relation to the organization’s risk assessment plan and objectives. 
  7. Present the report: Share the audit’s findings with management and stakeholders. 

Create an ISO 27001 Internal Audit Report  

After conducting the ISO 27001 internal audit, a detailed report should be created and presented to stakeholders to prioritize addressing any identified concerns. The audit report should include: 

  • An introduction outlining the audit report, objectives, timeline, and work performed. 
  • An executive summary with a high-level summary, key findings, and next steps. 
  • An in-depth analysis of the audit findings and recommended action items. 
  • Names of the intended report recipients and guidelines on circulation. 

ISO 27001 Internal Audit Requirements 

The ISO 27001 internal audit requirements are outlined in clause 9.2 of the ISO 27001 standard. It’s important to understand the prescriptive requirements outlined in each sub-clause: 

  • ISO 2700 Clause 9.2.1: Requires that internal audits are conducted at planned intervals. 
  • ISO 2700 Clause 9.2.1a: Requires that the internal audit conforms to ISO 27001 standard requirements.
  • ISO 2700 Clause 9.2.1.b: Requires the planning, establishment, and maintenance of an audit program, including frequency, methods, responsibilities, planning requirements, and reporting.  
  • ISO 2700 Clause 9.2.2.a: Requires that scope and criteria be defined for each audit. 
  • ISO 2700 Clause 9.22.b: Requires that only impartial auditors are selected. 
  • ISO 2700 Clause 9.2.2.c: Requires that results of the audit are reported to relevant stakeholders.
  • ISO 2700 Clause 9.2g: Requires that evidence of the audit program and results are retained and documented. 

Trust Issues: Your Trusted Source for GRC & Security News. Subscribe Now!

ISO 27001 Compliance with TrustOps

ISO 27001 requirements are complex, prescriptive, and involve specialized technical competencies. As such, meeting these requirements successfully takes dedicated resources independent of the development and maintenance of the ISMS. This can be an especially challenging feat for smaller organizations. 

When implementing TrustOps for ISO 27001, teams obtain an auto-generated, tailored ISMS covering compliance roles, controls, risks, and procedures to reduce audit failure. By using automation for better results and more affordable audits, organizations can get audit-ready in just three months. 

The TrustOps guided ISO 27001 experience helps teams easily enforce controls and collect evidence to prove compliance through a comprehensive internal audit program. 

ISO 27001 Audits Frequently Asked Questions

How much does ISO 27001 cost?  

The cost of an ISO audit depends on the company size and how much foundational work has been done. In a possible scenario, an organization with 10 employees or less could spend around $10,000 on a five-day audit, while an organization of 450 would spend closer to $30,000 on a 15-day audit process.

What are the benefits of conducting an ISO 27001 internal audit? 

Internal audits are an ISO 27001 certification requirement, but also confer many benefits. They provide proactive assurance that a company’s ISMS and processes conform with compliance standards and provide expanded visibility across an organization. 

The related benefits of conducting an ISO 27001 internal audit include uncovered nonconformities, proactive prevention of security attacks, and increased staff understanding and awareness of related policies.