A black and white drawing of a rock formation.

On your journey toward ISO 27001 compliance and even after you’re certified, you’ll need to perform internal audits. These audits help you pass your ISO 27001 audit and help you maintain the strength of your information security management system (ISMS) as it evolves over time.

In this article, we’ll cover what an internal ISO 27001 audit is, what the requirements are for compliance, and the steps for conducting an internal audit on your ISMS. 

What is an ISO 27001 internal audit?

Many compliance frameworks either require or suggest that you perform an internal audit ahead of your official audit. In many cases, these are audits you perform internally to determine your readiness for your formal audit. For ISO 27001 certification, internal audits are required to be compliant.

An internal ISO 27001 audit is an analysis of your ISMS and a risk assessment. In Clause 9.2 of the framework, it states that these audits must be performed at least once a year. This ensures you’re maintaining your strong security posture and closing any compliance gaps that may arise.

What is the goal of an ISO 27001 internal audit?

The purpose of ISO 27001 internal audits is to ensure your ISMS stays secure. A new security risk can develop at any time due to changes in your ISMS, such as a software update or a change in the vendor you’re using for cloud data storage. ISO 27001 internal audits are designed to keep your ISMS protected for the long term and help you prepare for the external ISO 27001 audit. 

Who can perform an ISO 27001 internal audit?

While an ISO 27001 internal audit is a required part of the compliance process, it isn’t done by the auditors that will provide you with your certification. Your internal audit needs to be performed by someone who understands ISO 27001 enough to perform an internal audit and prepare an internal audit report, but that person does not need to be credentialed as an auditor.

Many organizations select a member of their internal staff, who is not responsible for any part of the ISMS, to conduct their internal audits. You can also hire a third-party consulting firm to perform your internal audit.

How to conduct an ISO 27001 internal audit

The process of performing an annual ISO 27001 internal audit generally consists of these six steps:

Step 1: Define internal audit scope

An ISO 27001 internal audit starts with getting an understanding of your ISMS, the ISO 27001 requirements, and determining which controls to assess. This can be guided by the Statement of Applicability you’ve prepared for your audit.

In this stage, you’ll also choose an internal auditor. Whether this person is part of your staff or an outside consultant, ensure that they understand the scope of your audit.

Step 2: Review documentation

Ahead of your internal audit, the auditor should review your documentation to ensure that you have the evidence and paperwork needed for ISO 27001 compliance. These documents include:

  • ISMS Scope Statement: Describes the scope of your ISMS.
  • ISMS Statement of Applicability: Details which ISO 27001 Annex A controls you’ve implemented or omitted, your reasoning, and how you’ve implemented the applicable controls.
  • Information Security Policy: Explains your organization’s commitment and philosophy for information security.
  • Risk assessment and risk treatment plan: Identifies the information security risks based on your operations and provides a plan for minimizing those risks.
  • ISMS management review meeting minutes: Shares the discussion among leadership regarding the ISMS and how it’s aligned with your organization’s goals and operations.
  • ISMS Corrective Action Report or gap analysis: Identifies how your organization will address any gaps in your compliance as they arise.
  • Business Continuity Policy: Provides a plan for how your organization will continue to function and provide critical services if a data breach occurs.

Your internal auditor should verify that all of these documents exist, are up-to-date, and accurate.

Step 3: Undergo the internal audit

After the documentation review, your internal auditor will perform the internal audit. This involves looking at each ISO 27001 clause and Annex A control you’ve implemented and verifying that each of them meet the standards of ISO 27001. It can take some time to complete this audit because there are so many controls working together, but the goal is to ensure that your ISMS is thorough and your data is secure.

Step 4: Evaluate and document the results

When conducting the internal audit, your auditor will take detailed notes of their findings. These notes will include a record of how and where they verified the applicable security controls. After completing the audit, they’ll review these notes and take stock of which controls “passed” the audit and which may be missing or are no longer functioning properly.

Step 5: Prepare the internal audit report

When your internal auditor is done investigating your ISMS, they will prepare an internal audit report. This is required as you’ll need to present this report to your auditor during your official ISO 27001 certification audit to prove that you’ve been conducting internal audits.

The internal audit reports should include five components:

  • Introduction: An overview of the scope of the audit and the audit’s objectives.
  • Executive summary: The internal auditor’s key findings including their determination of whether or not you’re compliant.
  • Report guidance: Recommendations of who should review the report and whether or not it should be classified as a confidential document.
  • Audit findings: A detailed account of the controls the auditor assessed and what they found about how well-implemented and effective these controls are.
  • Audit limitations: A statement noting any limitations to the scope of the audit.

Step 6: Management review

Now that you have the valuable takeaways from your internal audit, it’s time to review that report and make any necessary changes or updates to your ISMS. Your leadership team should review the internal audit report in detail and use it to identify actions to take for enhanced security. If the internal report finds that your organization is ready for your official ISO 27001 certification audit, you’ll proceed to getting an external audit.

ISO 27001 internal audit FAQs

We’ve answered some of the most common questions about ISO 27001 internal audits below:

Does ISO 27001 require an internal audit?

Yes, unlike other information security standards, internal audits are required for ISO 27001 compliance. According to Clause 9.2 of ISO 27001, an internal audit must be performed at least once per year to ensure that you’re maintaining security best practices.

What are the different types of ISO 27001 internal audits?

There are three types of internal ISO 27001 audits you could conduct:

  • System audit: A comprehensive internal audit that assesses your ISO 27001 compliance throughout your entire ISMS.
  • Process audit: A review of only specific processes within your ISMS.
  • Product audit: An audit of the information security of a specific product or service your organization offers.

While process audits and product audits can be used to look only at specific aspects of your ISMS, you’ll need to have at least one full internal system audit every year to be ISO 27001 compliant.

How long does an ISO 27001 internal audit take?

There’s no clear-cut timeline for an ISO 27001 internal audit. The length of time it takes will vary greatly depending on the complexity of your ISMS, the familiarity and skill of the person conducting the internal audit, how well-prepared you are for the audit, and other factors.

Streamline your internal ISO 27001 audit 

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo

Preparing for an ISO 27001 audit

Your guide to internal ISO 27001 audits

A black and white drawing of a rock formation.

On your journey toward ISO 27001 compliance and even after you’re certified, you’ll need to perform internal audits. These audits help you pass your ISO 27001 audit and help you maintain the strength of your information security management system (ISMS) as it evolves over time.

In this article, we’ll cover what an internal ISO 27001 audit is, what the requirements are for compliance, and the steps for conducting an internal audit on your ISMS. 

What is an ISO 27001 internal audit?

Many compliance frameworks either require or suggest that you perform an internal audit ahead of your official audit. In many cases, these are audits you perform internally to determine your readiness for your formal audit. For ISO 27001 certification, internal audits are required to be compliant.

An internal ISO 27001 audit is an analysis of your ISMS and a risk assessment. In Clause 9.2 of the framework, it states that these audits must be performed at least once a year. This ensures you’re maintaining your strong security posture and closing any compliance gaps that may arise.

What is the goal of an ISO 27001 internal audit?

The purpose of ISO 27001 internal audits is to ensure your ISMS stays secure. A new security risk can develop at any time due to changes in your ISMS, such as a software update or a change in the vendor you’re using for cloud data storage. ISO 27001 internal audits are designed to keep your ISMS protected for the long term and help you prepare for the external ISO 27001 audit. 

Who can perform an ISO 27001 internal audit?

While an ISO 27001 internal audit is a required part of the compliance process, it isn’t done by the auditors that will provide you with your certification. Your internal audit needs to be performed by someone who understands ISO 27001 enough to perform an internal audit and prepare an internal audit report, but that person does not need to be credentialed as an auditor.

Many organizations select a member of their internal staff, who is not responsible for any part of the ISMS, to conduct their internal audits. You can also hire a third-party consulting firm to perform your internal audit.

How to conduct an ISO 27001 internal audit

The process of performing an annual ISO 27001 internal audit generally consists of these six steps:

Step 1: Define internal audit scope

An ISO 27001 internal audit starts with getting an understanding of your ISMS, the ISO 27001 requirements, and determining which controls to assess. This can be guided by the Statement of Applicability you’ve prepared for your audit.

In this stage, you’ll also choose an internal auditor. Whether this person is part of your staff or an outside consultant, ensure that they understand the scope of your audit.

Step 2: Review documentation

Ahead of your internal audit, the auditor should review your documentation to ensure that you have the evidence and paperwork needed for ISO 27001 compliance. These documents include:

  • ISMS Scope Statement: Describes the scope of your ISMS.
  • ISMS Statement of Applicability: Details which ISO 27001 Annex A controls you’ve implemented or omitted, your reasoning, and how you’ve implemented the applicable controls.
  • Information Security Policy: Explains your organization’s commitment and philosophy for information security.
  • Risk assessment and risk treatment plan: Identifies the information security risks based on your operations and provides a plan for minimizing those risks.
  • ISMS management review meeting minutes: Shares the discussion among leadership regarding the ISMS and how it’s aligned with your organization’s goals and operations.
  • ISMS Corrective Action Report or gap analysis: Identifies how your organization will address any gaps in your compliance as they arise.
  • Business Continuity Policy: Provides a plan for how your organization will continue to function and provide critical services if a data breach occurs.

Your internal auditor should verify that all of these documents exist, are up-to-date, and accurate.

Step 3: Undergo the internal audit

After the documentation review, your internal auditor will perform the internal audit. This involves looking at each ISO 27001 clause and Annex A control you’ve implemented and verifying that each of them meet the standards of ISO 27001. It can take some time to complete this audit because there are so many controls working together, but the goal is to ensure that your ISMS is thorough and your data is secure.

Step 4: Evaluate and document the results

When conducting the internal audit, your auditor will take detailed notes of their findings. These notes will include a record of how and where they verified the applicable security controls. After completing the audit, they’ll review these notes and take stock of which controls “passed” the audit and which may be missing or are no longer functioning properly.

Step 5: Prepare the internal audit report

When your internal auditor is done investigating your ISMS, they will prepare an internal audit report. This is required as you’ll need to present this report to your auditor during your official ISO 27001 certification audit to prove that you’ve been conducting internal audits.

The internal audit reports should include five components:

  • Introduction: An overview of the scope of the audit and the audit’s objectives.
  • Executive summary: The internal auditor’s key findings including their determination of whether or not you’re compliant.
  • Report guidance: Recommendations of who should review the report and whether or not it should be classified as a confidential document.
  • Audit findings: A detailed account of the controls the auditor assessed and what they found about how well-implemented and effective these controls are.
  • Audit limitations: A statement noting any limitations to the scope of the audit.

Step 6: Management review

Now that you have the valuable takeaways from your internal audit, it’s time to review that report and make any necessary changes or updates to your ISMS. Your leadership team should review the internal audit report in detail and use it to identify actions to take for enhanced security. If the internal report finds that your organization is ready for your official ISO 27001 certification audit, you’ll proceed to getting an external audit.

ISO 27001 internal audit FAQs

We’ve answered some of the most common questions about ISO 27001 internal audits below:

Does ISO 27001 require an internal audit?

Yes, unlike other information security standards, internal audits are required for ISO 27001 compliance. According to Clause 9.2 of ISO 27001, an internal audit must be performed at least once per year to ensure that you’re maintaining security best practices.

What are the different types of ISO 27001 internal audits?

There are three types of internal ISO 27001 audits you could conduct:

  • System audit: A comprehensive internal audit that assesses your ISO 27001 compliance throughout your entire ISMS.
  • Process audit: A review of only specific processes within your ISMS.
  • Product audit: An audit of the information security of a specific product or service your organization offers.

While process audits and product audits can be used to look only at specific aspects of your ISMS, you’ll need to have at least one full internal system audit every year to be ISO 27001 compliant.

How long does an ISO 27001 internal audit take?

There’s no clear-cut timeline for an ISO 27001 internal audit. The length of time it takes will vary greatly depending on the complexity of your ISMS, the familiarity and skill of the person conducting the internal audit, how well-prepared you are for the audit, and other factors.

Streamline your internal ISO 27001 audit 

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo

Get started with ISO 27001

Start your ISO 27001 journey with these related resources.

ISO 27001

The ISO 27001 Compliance Checklist

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

The ISO 27001 Compliance Checklist
The ISO 27001 Compliance Checklist
ISO 27001

ISO 27001 Compliance for SaaS

On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.

ISO 27001 Compliance for SaaS
ISO 27001 Compliance for SaaS
ISO 27001

ISO 27001 vs. SOC 2: Which standard is right for my business?

Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001 vs. SOC 2: Which standard is right for my business?
ISO 27001 vs. SOC 2: Which standard is right for my business?

Get compliant and
build trust, fast.

Two wind turbines on a white background.