AuditXYZ

Lesson 4 of 5

ISO 27001 Internal Audit: Planning and Execution

11 min readIntermediate

ISO 27001 Internal Audit

Internal audits are a mandatory requirement of ISO 27001 (Clause 9.2). They serve two purposes: verifying that your ISMS conforms to both the standard's requirements and your own policies, and identifying opportunities for improvement. Internal audits must be conducted before your certification audit.

Planning the Internal Audit

Scope should cover all aspects of your ISMS, though not necessarily in a single audit. Many organizations audit different areas throughout the year, ensuring complete coverage over the audit cycle. Each audit should clearly define which clauses, controls, and processes are being examined.

Auditor independence is required. The person conducting the internal audit cannot audit their own work. Options include training an internal employee from a different department, hiring an external consultant, or using a qualified internal audit team if your organization is large enough.

Audit program documents the schedule, scope, methods, and criteria for your internal audits. It should be risk-based — areas with higher risk or previous nonconformities deserve more frequent attention.

Conducting the Audit

Internal audits typically involve document review, interviews with process owners, observation of processes in action, and sampling of records and evidence. The auditor compares what they find against the requirements of ISO 27001 and your own ISMS documentation.

Reporting Findings

Findings are classified as nonconformities (failures to meet requirements) or opportunities for improvement. Each nonconformity requires a root cause analysis and a corrective action plan with deadlines and responsible owners. The audit report should be factual, evidence-based, and constructive.

Common Internal Audit Findings

The most common findings include: incomplete risk assessments, outdated Statement of Applicability, insufficient security awareness training, gaps between documented policies and actual practices, and missing management review records. Addressing these before the certification audit saves significant time and stress.

Using Findings Effectively

The real value of internal audits is improvement, not just compliance. Use findings to strengthen your ISMS, update processes, and address systemic issues. Track corrective actions to closure and verify their effectiveness.

In the next lesson, we will cover the certification process.