Internal audits under ISO 27001 serve two purposes: they verify that your ISMS conforms to the standard, and they verify that your ISMS is effectively implemented and maintained. Done well, internal audits identify real problems before your certification auditor finds them. Done poorly, they waste time and create a false sense of compliance.
Clause 9.2 defines the requirements, but the standard deliberately does not prescribe how to conduct audits. This guide covers the practical approach that satisfies auditors and actually improves your security posture.
Planning the Audit Program
The audit program defines what will be audited, when, and by whom over the certification cycle. Create an audit schedule that covers all management system clauses (4-10) and all applicable Annex A controls within each three-year certification cycle.
Prioritize areas based on risk and the results of previous audits. High-risk areas and areas with previous nonconformities should be audited more frequently. Low-risk, stable areas can be audited less frequently, but must still be covered within the cycle.
Auditor Competency and Independence
Internal auditors must be competent in audit methodology and have sufficient knowledge of information security to evaluate compliance. They must also be independent of the area being audited. A developer cannot audit the secure development process they participate in.
| Approach | Pros | Cons |
|---|---|---|
| Cross-departmental | Cost-effective, builds security awareness | May lack audit expertise, time constraints |
| Dedicated internal auditor | Consistent quality, deep ISMS knowledge | Expensive for small organizations |
| External consultant | Expert knowledge, complete independence | Higher cost, less organizational context |
Conducting the Audit
For each area, review documentation first, then verify implementation through interviews and evidence review. Ask open-ended questions that reveal how processes actually work, not just whether documentation exists.
- Instead of "Do you have an access control policy?" ask "Walk me through what happens when a new employee needs access to production systems"
- Instead of "Are logs reviewed?" ask "Show me the last time a log alert resulted in an investigation. What happened?"
- Instead of "Do you perform risk assessments?" ask "What was the last risk you identified and how was it treated?"
Making audits useful: The best internal audits find real issues that, when fixed, improve security. If your internal audits consistently find zero nonconformities, either your ISMS is perfect (unlikely) or your audits are not thorough enough. A healthy internal audit program finds 5-15 observations per cycle, including a mix of nonconformities and opportunities for improvement.
Documenting Nonconformities
When an audit finding represents a failure to meet a requirement of the standard or your own ISMS procedures, it is a nonconformity. Each nonconformity must be documented with the specific requirement not met, the objective evidence, and a root cause analysis.
Classify nonconformities as major (failure to implement a requirement that significantly affects the ISMS) or minor (partial implementation or isolated instance of non-compliance). Major nonconformities must be resolved before certification can be recommended.
Corrective Actions
Corrective actions address the root cause of nonconformities, not just the symptom. If the audit finds that access reviews are not being performed, the corrective action is not just "perform access reviews." It should address why they were not being performed: unclear ownership, no scheduled reminders, lack of tooling, or competing priorities.
Each corrective action needs an owner, a deadline, and a verification step to confirm the action was effective. Your certification auditor will review your corrective action log and will expect to see closed items with evidence of effectiveness.
Need security testing or compliance support?
We provide penetration testing, compliance assessments, and security consulting for organizations at every stage.
