Skip to content
English
Go to sensiba.com
  • There are no suggestions because the search field is empty.

ISO 27001 Internal Audits - Key things to know

ISO 27001 Internal Audits | The essential things you need to know to understand and tackle an ISO 27001 Internal Audit

What is an Internal Audit under ISO 27001?

An internal audit is a documented review of your ISMS to evaluate whether it:

  • Conforms to your organization’s planned arrangements and the ISO 27001 standard.
  • Is effectively implemented and maintained.
  • Is capable of achieving your information security objectives.

Clause 9.2 of ISO/IEC 27001:2022 sets out the requirement for internal audits at planned intervals. These audits help you identify weaknesses, areas for improvement, and ensure continuous compliance.

How does it differ from the external ISO 27001 certification audit? 

While both internal and external audits assess your ISMS against the ISO 27001 standard, there are a few key differences between them:

Internal Audit 

External Audit

Conducted by your organization (or an independent third party not your cert body)

Conducted by a certification body (like us)

Aimed at ongoing improvement and readiness

Aimed at certifying or maintaining compliance

Flexible in timing and scope

Scheduled per certification cycle (Stage 1, 2, Surveillance)

Identifies issues before the external audit does

Determines if your ISMS meets ISO 27001 requirements

Results used internally to drive corrective actions

Results used to make certification decisions

Why the Certification Body (Sensiba) Can’t Do This

While we’re here to assess your system for certification and surveillance purposes, we cannot perform your internal audit for you. This is because:

  • Independence and impartiality are key auditing principles. An internal audit must be conducted by someone independent of the activity being audited, including us as external certification auditors.
  • ISO/IEC 17021-1, the accreditation standard for certification bodies, prohibits us from participating in activities that would compromise our impartiality, such as designing, implementing, or auditing your ISMS internally.

If not the external auditor, who can perform an Internal Audit under ISO 27001? 

In short, there are two options; conduct the audit using internal resources or engage an independent third party. 

Option 1: Using internal resources 

There are clear requirements the internal auditor must follow to ensure the audit remains effective, objective, and compliant with ISO 27001 and ISO 19011 (guidelines for auditing management systems).

1. Independence & Objectivity

  • The nominated internal auditor must not audit their own work and must be independent of the area being audited. If the nominated internal auditor is responsible for any of the implementation and management of the ISMS, and/or is marked as a control owner for any of the controls in the Statement of Applicability, they cannot be the internal auditor.

2. Competence of the Auditor(s)

  • Auditors must be competent, meaning they need the knowledge, skills, and experience to evaluate ISO 27001 controls and processes.

If the above criteria are deemed to be met by an organisation, it may be possible to conduct the internal audit using internal resources. You must document the auditor selection in the internal audit procedure or report, with a clear rationale as to why this internal auditor was deemed both competent and independent.  

Option 2: Engage an independent third party

Engaging a third-party is an alternative option to conduct the ISO 27001 Internal Audit. 

This approach can help ensure key criteria such as independence, objectivity, and auditor competence are met, all of which are critical to maintaining the integrity of your Information Security Management System (ISMS).

When selecting a third-party provider, it's important to carefully evaluate several factors to ensure they’re the right fit. Look for criteria such as industry-specific experience, a clear and relevant service offering, and the ability to assess your ISMS against the full requirements of the ISO 27001 standard.

You can explore our partner ecosystem below to find trusted providers to can support your ISO 27001 compliance journey. Sensiba Partners

How to Conduct an Internal Audit

A structured approach should be followed:

Here's a general outline:

  1. Understand ISO 27001 Requirements: Familiarise yourself with the ISO 27001 standard and its requirements. This includes understanding the clauses, controls, and Annex A controls.
  2. Establish Audit scope: Define the audit scope, objectives, criteria, and frequency. Determine which areas of the organisation's ISMS will be audited.

    The scope of the audit is at the discretion of the organisation. Our tip? Include your entire ISMS in the scope for your first internal audit prior to certification. Once certified, you can start focusing on specific areas in your annual internal audit. If following an audit cycle that focuses on a selection of controls each year rather than the entirety of the ISMS, you must document an Internal Audit Schedule to demonstrate how you will ensure the entire ISMS is audited throughout the 3 year certification cycle. 

  3. Select Auditor/Audit Team: The general parameters are that the internal auditor must be independent of the team implementing your ISMS, and they must have a general understanding of ISO 27001 / Information Security.
  4. Plan the Audit: Develop an audit plan that outlines the audit objectives, scope, criteria, methodology, and schedule. 
  5. Conduct the Audit: Execute the audit according to the established plan. This involves reviewing documents, interviewing personnel, and observing processes to assess compliance with ISO 27001 requirements.
  6. Document Findings: Record all audit findings, including any non-conformities or areas of improvement. Document evidence to support your findings.
  7. Report Results: Prepare an audit report summarising the findings, conclusions, and recommendations. Ensure the report is clear, concise, and actionable.
  8. Communicate Results: Present the audit findings to relevant stakeholders, including management and those responsible for the ISMS. Discuss any corrective actions that may be required.
  9. Document Corrective Actions: Document non-conformities and monitor the implementation of corrective actions to address those identified. Verify that actions have been effectively implemented and that the ISMS is continually improving.
  10. Review and Improve: Evaluate the effectiveness of the internal audit process and identify opportunities for improvement. Use feedback to enhance future audits and the overall ISMS.

Frequency and Continuous Improvement

A reminder that Internal Audits are an ongoing requirement within the ISMS lifecycle, and: 

  • Must be conducted at planned intervals (at least one internal audit annually) 
  • Should support continual improvement