ISO 27001 demands planned internal audits to ensure your Information Security Management System (ISMS) meets core requirements. 

Learn what an internal audit is and how to conduct one in your organization, and get a checklist to help you prepare for the process.

Content overview

What is ISO 27001?

What is an ISMS?

What is the ISO 27001 Certification?

What is the ISO 27001:2022 standard?

Why is ISO 27001 important? Why should I consider getting an ISO 27001 Certification?

Who needs ISO 27001 Certification?

How hard is it to get ISO 27001 certified? 

How long does it take to get certified? 

Does the ISO 27001 Certification expire? 

What are the benefits of getting ISO 27001 certified? 

What are the certification steps? What exactly do I need to do to get ISO 27001 certified? 

Conducting a risk assessment

Implementing controls and a risk treatment plan to mitigate risks? 

Documenting your ISMS

What is an ISO 27001 audit, and why is it important?

Conducting internal audits: How to go about it? 

How long does it take to get ready for an ISO 27001 external audit?

What you can expect at an external audit

What are the ISO 27001 controls? 

The costs of ISO 27001 Certification

Is the investment worth it?

How to get started with ISO 27001 Certification? 

What is an internal audit?

An internal ISO 27001 audit involves a detailed assessment of your organization’s Information Security Management System (ISMS) to ensure it complies with the standard's criteria. Unlike an external certification audit done by a certification body, an internal audit is carried out by employees who are independent of the ISMS and have auditing expertise or qualifications. Alternatively, you can also use an external service provider who can conduct these audits for you. 

The assessment will identify areas that require attention, helping you meet ISO 27001 requirements and enhance your organization’s operations. Record these observations and analyze the audit results at regular management review meetings.

What is covered under ISO 27001 clause 9.2?

ISO 27001 has several clauses that companies must follow if they want to be certified. One example is clause 9.2, which states that the organization must conduct internal audits at predetermined (planned) intervals to assess whether their ISMS:  

  • Complies with internal requirements

  • Meets the ISO 27001 standard 

  • Is implemented and maintained properly 

To meet those objectives, the Certification Body (CB) auditor checks whether:  

  • An audit programme was planned, executed, and maintained 

  • The audit criteria for each audit and scope were defined 

  • Audits were reported to the appropriate management 

  • Documented information was kept as evidence

You should also consider the following requirements to aid in being compliant to clause 9.2: 

  • Auditors must be unbiased and impartial to the audit process, ensuring an objective review that meets high standards 

  • Auditors can be internal or external, as long as they don’t audit areas they helped create or implement 

Internal audits are commonly outsourced to ensure expertise and maintain impartial, objective reviews. External experts support you on your way to ISO 27001 certification and beyond.

Why do organizations need to audit their ISMS?

Internal audits in line with ISO 27001 ensure that the ISMS and its procedures comply with the standard's criteria. The benefits of conducting an internal audit include: 

  • Finding out about nonconformities before they can hinder you from passing the external certification audit 

  • Identifying areas requiring attention to protect your organization from a security incident 

  • Educating management about the organization’s current security level 

  • Encouraging continuous improvement in the organization’s information security efforts 

  • An additional benefit is that an ISMS compliant with ISO 27001 covers a large part of the requirements of the new NIS2 Directive

ISO 27001 internal audit checklist

Five steps to a successful ISO 27001 internal audit. Ensure compliance and improve your security framework with our ISO 27001 internal audit checklist. Tailored to guide you through the key steps of auditing your ISMS. 

Download your free guide
DG Seal ISO 27001

ISO 27001 internal audit checklist

Navigate your internal audit process with this five-step checklist. 

1. Examining the documentation 

Start by reviewing the documentation prepared during your ISMS implementation. This ensures that the audit’s scope is aligned with your circumstances, establishing clear outlines for what needs to be audited. 

Next, identify the key stakeholders of the ISMS. Having these contacts defined will make requesting any necessary documents easier. 

2. Consulting with management 

The audit activity starts to take shape at this point. Before drafting a thorough audit plan, consult with management to determine the audit's timeline and resources. 

Establishing goals on which you submit progress updates to the board is a common part of this. At this early stage, meeting with management allows both sides to align on expectations. 

3. Field review

Typically, this will be the practical evaluation of your ISMS. Organizational sectors identified as critical during the ISO 27001 risk assessment should be given more attention at the start of the internal audit process. You will often need to:

  • Talk to employees about how the ISMS works in practice (i.e. information regarding policies and procedures they should know and be following). 

  • Validate evidence while conducting audit tests 

  • Complete audit reports to keep track of each test's outcomes 

Examine any ISMS documents, printouts, and other relevant information

4. Analysis

The evidence gathered during the audit should be processed and examined against your organization’s risk treatment plan and security goals. This approach can reveal gaps in the evidence or indicate the need for further testing. 

5. Report

The audit findings must be recorded, typically in a report, and presented to management. The following items should be included in your ISO 27001 internal audit report: 

  • The scope, objectives, and timeline of the work completed 

  • The individuals who were part of the audit process and their role in the organization 

  • An executive summary including key findings, high-level analysis, and a conclusion 

  • The report's intended recipients, along with categorization and distribution guidelines, if applicable 

  • An in-depth analysis of the results with conclusions and opportunities for improvement

  • A statement outlining any scope suggestions or constraints 

The report usually includes management agreeing to an action plan. Therefore, further review and amendments may be necessary.

Vector-1

DataGuard helped us get ISO 27001 certified 50% faster.

Reece Couchman, CEO & founder @ The SaaSy People

100% of our users pass ISO 27001 certification first time

Book a demo

How often does your organization need to conduct an internal audit? 

ISO 27001 doesn’t prescribe a specific cadence for internal audits. Instead, they must be conducted at planned intervals based on the organization's needs and risk environment. However, performing an internal audit at least annually is generally recommended to ensure ongoing compliance, identify potential improvements, and address any emerging risks. 

Many organizations might choose a more frequent schedule, such as quarterly or biannually, especially if they operate in high-risk industries, manage a broad ISMS scope, or face frequent changes in technology or regulatory requirements. The key is to establish an effective and manageable schedule. It should be documented in the ISMS audit plan and should consider the results of risk assessments and prior audits.

 

Conduct your internal audit with ease and comply effortlessly with ISO 27001 

Running an internal audit will benefit internal and external stakeholders, regardless of whether you want to achieve ISO 27001 certification. And we can help you get that critical view of your security in real time. 

Our AI-powered platform helps you efficiently build your ISMS, reducing the manual work needed. Additionally, our experts are here to support you whenever needed and will assist you with your internal audit. If you choose to pursue the ISO 27001 certification, we’ll guide you through the entire process—with a 100% first-try pass rate. 

Frequently asked questions

Who should perform the internal audit?

How long should an internal audit take?

How do we handle nonconformities or findings from the audit?

Book a demo
🏢 Organization Schema Preview (Development Only)
{
  "@context": "https://schema.org",
  "@graph": [
    {
      "@type": "Organization",
      "@id": "www.dataguard.com#organization",
      "name": "DataGuard",
      "legalName": "DataCo GmbH",
      "description": "DataGuard, the European leader in security and compliance software, is trusted by more than 4,000 organizations across 50+ countries. We help you identify and manage your security and compliance risks and fast-track your certifications and compliance by combining expert consultancy with AI-powered automation. Our purpose-built, all-in-one platform is developed with the experience of over 1.5 million total hours by a team of certified security and compliance experts.",
      "foundingDate": "2018",
      "taxID": "DE315880213",
      "logo": "https://7759810.fs1.hubspotusercontent-na1.net/hubfs/7759810/DataGuardLogo.svg",
      "url": "www.dataguard.com",
      "email": "info@dataguard.de",
      "telephone": "+49 89 452459 900",
      "address": {
        "@type": "PostalAddress",
        "streetAddress": "Sandstrasse 33",
        "addressLocality": "Munich",
        "addressRegion": "Bavaria",
        "postalCode": "80335",
        "addressCountry": "Germany"
      },
      "sameAs": [
        "https://www.linkedin.com/company/dataguard1/",
        "https://www.youtube.com/channel/UCEQzPZ6sCBCj9cAoBvaLL6w",
        "https://x.com/i/flow/login?redirect_after_login=%2FDataGuard_dg"
      ]
    }
  ]
}

✅ Organization schema markup for "DataGuard" has been injected into the document head.