
Internal audits are necessary for obtaining and maintaining your ISO 27001 certificate. They help you ensure readiness for the external certification audit and keep track of your compliance and security posture.
Still, an ISO 27001 internal audit might be resource-intensive and laborious without proper guidance. It puts considerable pressure on security compliance teams and other departments involved in the process.
Our guide will help you avoid these issues by discussing the key steps to effective ISO 27001 audit preparation and execution. We’ll cover:
- The basics of internal ISO 27001 audits
- Steps to conduct an audit (including details on internal audit documentation, reporting, and more)
- Specific challenges you might encounter
What is an ISO 27001 internal audit?
An ISO 27001 internal audit is an organized, documented, and independent evaluation of your organization’s information security management system (ISMS) and its alignment with ISO 27001. Unlike the certification audit, it’s performed in-house, though it can be outsourced if the organization lacks a competent, independent auditor.
You’ll perform an internal audit before several external ISO 27001 audits, specifically:
- The initial Stage 1 audit
- Annual surveillance audits
- Recertification audits
By doing so, you can ensure your ISMS continuously meets the necessary ISO 27001 requirements.
{{cta_withimage2="/cta-modules"}} | ISO 27001 compliance checklist
Does ISO 27001 require an internal audit?
As per ISO 27001 Clause 9.2, an internal audit is necessary for certification. While the general purpose of the audit is to ensure ongoing ISMS security, it also lets you accomplish several additional goals, such as:
- Enabling certification readiness: Besides being a mandatory prerequisite to the external audit, an internal ISMS audit supports a streamlined certification process without extensive back-and-forth
- Anticipating and preparing for data security risks: Regular internal audits help your ISMS evolve ahead of notable security threats and risks to ensure ongoing information security
- Pinpointing ISMS improvement opportunities: An effective ISO 27001 internal audit process helps you identify both major compliance gaps and smaller, yet impactful, areas for ISMS improvement
- Supporting continuous compliance: You’ll need to perform internal audits at least annually to maintain and renew your ISO 27001 certificate
What is required to perform an ISO 27001 internal audit?
Besides highlighting their mandatory nature, Clause 9.2 outlines the key ISO 27001 internal audit requirements. To conduct a successful audit, you’ll need to:
- Outline the audit scope and criteria
- Select your internal audit methodology and develop an audit program
- Choose an independent and objective internal ISO 27001 auditor
- Develop a reporting mechanism to communicate audit findings to top management
All of this should be in place before the audit starts, so the preparation activities should be factored in when defining the audit timeline.
How often should internal audits be conducted in compliance with ISO 27001?
While there’s no fixed ISO 27001 internal audit frequency specified by the standard, Clause 9.2 recommends conducting audits at planned intervals. If you need help setting those intervals, refer to the following table for frequency recommendations according to different audit types:
As for how long an internal audit takes, the specific duration will largely depend on your security posture and scope. An estimated internal audit timeline for most organizations spans one to three weeks, which you can use as a reference point.
{{cta_simple2="/cta-modules"}} | ISO 27001 product page
How to conduct an ISO 27001 internal audit: 7 key steps
The general steps for internal audits under ISO 27001 are as follows:
- Define the internal audit scope
- Prepare an ISO 27001 checklist
- Undergo the internal audit
- Evaluate and document the results
- Prepare the internal audit report
- Undergo management review
- Implement follow-up processes
Below, we’ll cover each step in more detail.
1. Define the internal audit scope
To start internal audit preparation, you’ll need to outline the components of your IT infrastructure the audit will encompass. In other words, you’ll map out the ISMS and the controls you’ll use to track its implementation and effectiveness.
Based on the selected controls and ISMS specifics, you’ll develop an ISO 27001 internal audit plan containing all the activities the auditor will perform to ensure alignment with the standard’s requirements.
If you plan to expand the scope of your ISMS to include a new department, you must include that expansion in the internal audit before it can be assessed during the full external certification audit.
The auditor can be someone from your organization, and they don’t need to be credentialed to perform the audit. All that matters is that they’re impartial and aren’t responsible for any part of the ISMS. If you don’t have such a team member, you can hire a third-party ISO 27001 consultant or auditor.
2. Prepare an ISO 27001 checklist
After developing your internal audit plan, you should condense it into an actionable checklist with specific tasks. To do so, you should gather and review various documentation, including:
- ISMS Scope Statement
- ISMS Statement of Applicability
- Information Security Policy
- ISMS management review meeting minutes
- ISMS Corrective Action Report or ISO internal audit gap analysis
- Business Continuity Policy
A particularly important document is your risk assessment and risk treatment plan.
{{sme_quote_3="/testimonials"}}
3. Undergo the internal audit
Once your auditor has reviewed the documentation and understood your audit scope, they’ll perform the audit by examining your ISMS and comparing its implementation to the corresponding ISO 27001 controls.
You’ll likely implement various controls to ensure robust security, which means the audit can take some time (up to a few weeks). During this period, you should be available to the auditor to remove any blocks efficiently.
4. Evaluate and document the results
As the auditor examines your ISMS, they’ll take notes of their findings. Specifically, they’ll record the specific aspects of the ISMS, how they analyzed the applicable controls, and how the findings were verified.
The auditor might document several types of internal audit findings, most notably:
- Passed controls
- Missing controls
- Controls that are no longer functioning
You should evaluate these findings with the auditor to confirm they align with your ISMS implementation. If any gaps are identified, outline a clear remediation plan you’ll execute before the certification audit.
5. Prepare the internal audit report
When the internal audit is complete, the auditor will compile a detailed report you’ll need to present during the official ISO 27001 certification audit. If you hire a third-party auditor, you don’t need to do much at this stage because they’ll take over the process.
If the auditor is someone from your team, you should understand how to write an internal audit report for ISO 27001. Specifically, the report should include the following components:
- Introduction: A concise overview of the audit’s scope and objectives as per the ISMS Scope Statement
- Executive summary: The internal auditor’s key findings, including their assessment of whether your ISMS is compliant with ISO 27001
- Report guidance: Recommendations on who should review the report and whether it should be classified as a confidential document
- Audit findings: A detailed account of the controls the auditor assessed alongside the key findings regarding your implementation and effectiveness
- Audit limitations: A statement noting any limitations to the scope of the audit
6. Undergo management review
Ideally, your internal audit will reveal complete readiness for the official ISO 27001 certification audit—but many organizations won’t see this after the first internal audit. If the audit highlights any deficiencies, you should inform the organization’s leadership and ensure they go through the report.
The main goal is to secure management buy-in by communicating the benefits of implementing the missing controls or making changes to the ISMS. By doing so, you can obtain the resources necessary for comprehensive gap remediation.
7. Implement follow-up processes
Once the management has reviewed the internal audit report, you should define the most effective way forward and implement the changes required for ISO 27001 certification. This can include various activities, such as:
- Changing your information security policies
- Implementing specific technological controls
- Enhancing physical IT security
In any case, track your progress and document any updates to understand how close you are to full ISO 27001 compliance. After the controls are implemented, perform the final review against the corresponding ISO 27001 requirements to confirm readiness for the external audit.
{{cta_withimage2="/cta-modules"}} | ISO 27001 compliance checklist
How to avoid common ISO 27001 internal audit mistakes
During the ISO 27001 internal audit procedure, you might encounter several challenges, such as:
- Limited expertise within internal audit teams: This is the most common issue organizations encounter (especially startups and smaller organizations with a limited workforce). If you don’t have a fitting auditor on your team, opt for a third-party one.
- Audit fatigue among internal teams: Various departments might be involved in the audit process, which can be overwhelming on top of their existing daily duties. This can cause considerable bottlenecks that may hinder the audit.
- Poor evidence gathering and documentation: Many organizations rely on manual documentation processes and disparate management systems, such as scattered spreadsheets and email chains, which makes evidence collection inefficient.
Besides finding a reputable internal auditor, the best way to overcome these challenges is to support the audit process with a dedicated automation solution. The right platform can streamline key audit tasks like evidence collection, risk assessment tracking, and report generation—helping you reduce manual work, avoid delays, and speed up the entire process.
Vanta: Your trusted partner for ISO 27001 internal audits
Vanta is a compliance and trust management platform that automates up to 80% of ISO 27001 compliance processes, including those related to internal audits. It offers a dedicated ISO 27001 product that streamlines control implementation and reviews through multiple helpful features, such as:
- Automated evidence collection supported by 375+ integrations
- Centralized compliance documentation
- Real-time monitoring of ISO 27001 controls
- Checklists, templates, and tests for developing and implementing your ISMS
- Streamlined access review features
If you need a third-party internal auditor, you can browse Vanta’s partner network to find reputable organizations that will support you throughout the process and ensure timely, accurate audits.
Schedule a custom demo of Vanta’s ISO 27001 product for more information and a hands-on overview.
{{cta_simple2="/cta-modules"}} | ISO 27001 product page
Preparing for an ISO 27001 audit
Your guide to internal ISO 27001 audits: Requirements and steps

Preparing for an ISO 27001 audit
Your guide to internal ISO 27001 audits: Requirements and steps

Download the checklist
Preparing for an ISO 27001 audit
Looking to automate up to 80% of the work for ISO 27001 compliance?
Internal audits are necessary for obtaining and maintaining your ISO 27001 certificate. They help you ensure readiness for the external certification audit and keep track of your compliance and security posture.
Still, an ISO 27001 internal audit might be resource-intensive and laborious without proper guidance. It puts considerable pressure on security compliance teams and other departments involved in the process.
Our guide will help you avoid these issues by discussing the key steps to effective ISO 27001 audit preparation and execution. We’ll cover:
- The basics of internal ISO 27001 audits
- Steps to conduct an audit (including details on internal audit documentation, reporting, and more)
- Specific challenges you might encounter
What is an ISO 27001 internal audit?
An ISO 27001 internal audit is an organized, documented, and independent evaluation of your organization’s information security management system (ISMS) and its alignment with ISO 27001. Unlike the certification audit, it’s performed in-house, though it can be outsourced if the organization lacks a competent, independent auditor.
You’ll perform an internal audit before several external ISO 27001 audits, specifically:
- The initial Stage 1 audit
- Annual surveillance audits
- Recertification audits
By doing so, you can ensure your ISMS continuously meets the necessary ISO 27001 requirements.
{{cta_withimage2="/cta-modules"}} | ISO 27001 compliance checklist
Does ISO 27001 require an internal audit?
As per ISO 27001 Clause 9.2, an internal audit is necessary for certification. While the general purpose of the audit is to ensure ongoing ISMS security, it also lets you accomplish several additional goals, such as:
- Enabling certification readiness: Besides being a mandatory prerequisite to the external audit, an internal ISMS audit supports a streamlined certification process without extensive back-and-forth
- Anticipating and preparing for data security risks: Regular internal audits help your ISMS evolve ahead of notable security threats and risks to ensure ongoing information security
- Pinpointing ISMS improvement opportunities: An effective ISO 27001 internal audit process helps you identify both major compliance gaps and smaller, yet impactful, areas for ISMS improvement
- Supporting continuous compliance: You’ll need to perform internal audits at least annually to maintain and renew your ISO 27001 certificate
What is required to perform an ISO 27001 internal audit?
Besides highlighting their mandatory nature, Clause 9.2 outlines the key ISO 27001 internal audit requirements. To conduct a successful audit, you’ll need to:
- Outline the audit scope and criteria
- Select your internal audit methodology and develop an audit program
- Choose an independent and objective internal ISO 27001 auditor
- Develop a reporting mechanism to communicate audit findings to top management
All of this should be in place before the audit starts, so the preparation activities should be factored in when defining the audit timeline.
How often should internal audits be conducted in compliance with ISO 27001?
While there’s no fixed ISO 27001 internal audit frequency specified by the standard, Clause 9.2 recommends conducting audits at planned intervals. If you need help setting those intervals, refer to the following table for frequency recommendations according to different audit types:
As for how long an internal audit takes, the specific duration will largely depend on your security posture and scope. An estimated internal audit timeline for most organizations spans one to three weeks, which you can use as a reference point.
{{cta_simple2="/cta-modules"}} | ISO 27001 product page
How to conduct an ISO 27001 internal audit: 7 key steps
The general steps for internal audits under ISO 27001 are as follows:
- Define the internal audit scope
- Prepare an ISO 27001 checklist
- Undergo the internal audit
- Evaluate and document the results
- Prepare the internal audit report
- Undergo management review
- Implement follow-up processes
Below, we’ll cover each step in more detail.
1. Define the internal audit scope
To start internal audit preparation, you’ll need to outline the components of your IT infrastructure the audit will encompass. In other words, you’ll map out the ISMS and the controls you’ll use to track its implementation and effectiveness.
Based on the selected controls and ISMS specifics, you’ll develop an ISO 27001 internal audit plan containing all the activities the auditor will perform to ensure alignment with the standard’s requirements.
If you plan to expand the scope of your ISMS to include a new department, you must include that expansion in the internal audit before it can be assessed during the full external certification audit.
The auditor can be someone from your organization, and they don’t need to be credentialed to perform the audit. All that matters is that they’re impartial and aren’t responsible for any part of the ISMS. If you don’t have such a team member, you can hire a third-party ISO 27001 consultant or auditor.
2. Prepare an ISO 27001 checklist
After developing your internal audit plan, you should condense it into an actionable checklist with specific tasks. To do so, you should gather and review various documentation, including:
- ISMS Scope Statement
- ISMS Statement of Applicability
- Information Security Policy
- ISMS management review meeting minutes
- ISMS Corrective Action Report or ISO internal audit gap analysis
- Business Continuity Policy
A particularly important document is your risk assessment and risk treatment plan.
{{sme_quote_3="/testimonials"}}
3. Undergo the internal audit
Once your auditor has reviewed the documentation and understood your audit scope, they’ll perform the audit by examining your ISMS and comparing its implementation to the corresponding ISO 27001 controls.
You’ll likely implement various controls to ensure robust security, which means the audit can take some time (up to a few weeks). During this period, you should be available to the auditor to remove any blocks efficiently.
4. Evaluate and document the results
As the auditor examines your ISMS, they’ll take notes of their findings. Specifically, they’ll record the specific aspects of the ISMS, how they analyzed the applicable controls, and how the findings were verified.
The auditor might document several types of internal audit findings, most notably:
- Passed controls
- Missing controls
- Controls that are no longer functioning
You should evaluate these findings with the auditor to confirm they align with your ISMS implementation. If any gaps are identified, outline a clear remediation plan you’ll execute before the certification audit.
5. Prepare the internal audit report
When the internal audit is complete, the auditor will compile a detailed report you’ll need to present during the official ISO 27001 certification audit. If you hire a third-party auditor, you don’t need to do much at this stage because they’ll take over the process.
If the auditor is someone from your team, you should understand how to write an internal audit report for ISO 27001. Specifically, the report should include the following components:
- Introduction: A concise overview of the audit’s scope and objectives as per the ISMS Scope Statement
- Executive summary: The internal auditor’s key findings, including their assessment of whether your ISMS is compliant with ISO 27001
- Report guidance: Recommendations on who should review the report and whether it should be classified as a confidential document
- Audit findings: A detailed account of the controls the auditor assessed alongside the key findings regarding your implementation and effectiveness
- Audit limitations: A statement noting any limitations to the scope of the audit
6. Undergo management review
Ideally, your internal audit will reveal complete readiness for the official ISO 27001 certification audit—but many organizations won’t see this after the first internal audit. If the audit highlights any deficiencies, you should inform the organization’s leadership and ensure they go through the report.
The main goal is to secure management buy-in by communicating the benefits of implementing the missing controls or making changes to the ISMS. By doing so, you can obtain the resources necessary for comprehensive gap remediation.
7. Implement follow-up processes
Once the management has reviewed the internal audit report, you should define the most effective way forward and implement the changes required for ISO 27001 certification. This can include various activities, such as:
- Changing your information security policies
- Implementing specific technological controls
- Enhancing physical IT security
In any case, track your progress and document any updates to understand how close you are to full ISO 27001 compliance. After the controls are implemented, perform the final review against the corresponding ISO 27001 requirements to confirm readiness for the external audit.
{{cta_withimage2="/cta-modules"}} | ISO 27001 compliance checklist
How to avoid common ISO 27001 internal audit mistakes
During the ISO 27001 internal audit procedure, you might encounter several challenges, such as:
- Limited expertise within internal audit teams: This is the most common issue organizations encounter (especially startups and smaller organizations with a limited workforce). If you don’t have a fitting auditor on your team, opt for a third-party one.
- Audit fatigue among internal teams: Various departments might be involved in the audit process, which can be overwhelming on top of their existing daily duties. This can cause considerable bottlenecks that may hinder the audit.
- Poor evidence gathering and documentation: Many organizations rely on manual documentation processes and disparate management systems, such as scattered spreadsheets and email chains, which makes evidence collection inefficient.
Besides finding a reputable internal auditor, the best way to overcome these challenges is to support the audit process with a dedicated automation solution. The right platform can streamline key audit tasks like evidence collection, risk assessment tracking, and report generation—helping you reduce manual work, avoid delays, and speed up the entire process.
Vanta: Your trusted partner for ISO 27001 internal audits
Vanta is a compliance and trust management platform that automates up to 80% of ISO 27001 compliance processes, including those related to internal audits. It offers a dedicated ISO 27001 product that streamlines control implementation and reviews through multiple helpful features, such as:
- Automated evidence collection supported by 375+ integrations
- Centralized compliance documentation
- Real-time monitoring of ISO 27001 controls
- Checklists, templates, and tests for developing and implementing your ISMS
- Streamlined access review features
If you need a third-party internal auditor, you can browse Vanta’s partner network to find reputable organizations that will support you throughout the process and ensure timely, accurate audits.
Schedule a custom demo of Vanta’s ISO 27001 product for more information and a hands-on overview.
{{cta_simple2="/cta-modules"}} | ISO 27001 product page




Peter Simpson-Young Key Accounts and Compliance Coordinator | Coviu
Explore more ISO 27001 articles
Introduction to ISO 27001
ISO 27001 requirements
Preparing for an ISO 27001 audit
Streamlining ISO 27001 compliance
Understanding ISO differences
Get started with ISO 27001
Start your ISO 27001 journey with these related resources.

The ISO 27001 Compliance Checklist
ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

ISO 27001 Compliance for SaaS
On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.

ISO 27001 vs. SOC 2: Which standard is right for my business?
Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.