🎉
ISO 27001 and HIPAA compliance support now available on Vanta!
Read More >
GLOSSARY

ISO 27001 Internal Audit

What is an ISO 27001 internal audit?‍

‍

An ISO 27001 internal audit involves examining an organization’s Information Security Management System (ISMS) before undergoing an ISO audit with an external auditor. The internal audit aims to help identify gaps or deficiencies that could affect an organization’s ISMS and impact its ability to meet its intended objectives and complete an initial or annual ISO 27001 certification audit.


The internal audit function is a requirement under the ISO 27001 standard. However, unlike a certification review where an organization must use an external third party to conduct the audit, either staff within an organization or an independent third party—such as a consulting firm—can perform an audit. 


When determining its approach to the execution of an internal audit, a company must:

‍

  • Ensure the auditor is objective and impartial, meaning there are no conflicts of interest and that appropriate separation of duties are in place (i.e., the auditor has not implemented or does not operate or monitor any of the controls under audit).
  • Ensure the auditor is qualified and competent regarding auditing processes and procedures, as well as the ISO 27001 standard.


The internal audit results, including nonconformities, should be shared with a company’s ISMS governing body and senior management to ensure oversight and identify issues before proceeding to the external audit.

Vanta automates compliance starting with SOC 2
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.