What is an ISO 27001 internal audit?
An ISO 27001 internal audit involves examining an organization’s Information Security Management System (ISMS) before undergoing an ISO audit with an external auditor. The internal audit aims to help identify gaps or deficiencies that could affect an organization’s ISMS and impact its ability to meet its intended objectives and complete an initial or annual ISO 27001 certification audit.
The internal audit function is a requirement under the ISO 27001 standard. However, unlike a certification review where an organization must use an external third party to conduct the audit, either staff within an organization or an independent third party—such as a consulting firm—can perform an audit.
When determining its approach to the execution of an internal audit, a company must:
The internal audit results, including nonconformities, should be shared with a company’s ISMS governing body and senior management to ensure oversight and identify issues before proceeding to the external audit.