Internal Audit

An internal audit is an independent assessment of an organization's own information security controls, processes, and management system — conducted by internal staff or contracted assessors who are not responsible for the areas being audited. Internal audits identify weaknesses, verify control effectiveness, and drive continuous improvement before external auditors arrive.

Internal vs. External Audits

Internal audits are conducted by or on behalf of the organization itself. They serve as a self-assessment mechanism. External audits are conducted by independent certification bodies or CPA firms and result in formal certifications or attestation reports.

Internal audits are rehearsals; external audits are the performance. Organizations that skip internal audits frequently discover issues during external audits — which is more expensive and embarrassing to remediate.

ISO 27001 Requirements

ISO 27001 clause 9.2 requires organizations to conduct internal audits at planned intervals. The internal audit program must cover the entire ISMS over time and verify both conformity with the organization's own requirements and conformity with ISO 27001 requirements.

Key requirements include:

• Auditor independence — Internal auditors must not audit their own work
• Planned program — A schedule covering all ISMS areas over the audit cycle
• Documented results — Findings, nonconformities, and corrective actions must be recorded
• Management reporting — Results must be reported to management for review

Conducting an Internal Audit

1. Plan the audit — Define scope, objectives, and criteria
2. Review documentation — Examine policies, procedures, and records
3. Conduct interviews — Speak with process owners and staff
4. Test controls — Verify that controls operate as documented
5. Report findings — Document nonconformities, observations, and recommendations
6. Track remediation — Ensure corrective actions are implemented and verified

Best Practices

Start early. Conduct your first internal audit at least three months before an external certification audit. This provides time to address findings.

Use a risk-based approach. Focus audit effort on high-risk areas rather than attempting to test every control equally. Auditors expect to see risk-based prioritization.

Maintain independence. If your team is too small for true independence, consider engaging a contracted internal auditor or consulting firm.