ISO 27001
      Back to home
      1. AssuranceLab - Knowledgebase
      2. ISO 27001

      Internal audits: What you need to know!

      Conducting an ISO 27001 internal audit involves several steps to ensure compliance with the standard's requirements for information security management systems (ISMS).

      Here's a general outline:

      1. Understand ISO 27001 Requirements: Familiarise yourself with the ISO 27001 standard and its requirements. This includes understanding the clauses, controls, and Annex A controls.
      2. Establish Audit scope: Define the audit scope, objectives, criteria, and frequency. Determine which areas of the organisation's ISMS will be audited.
        Note: The scope of the audit is at the discretion of the organisation. Our tip? Include your entire ISMS in the scope for your first internal audit prior to certification. Once certified, you can start focusing on specific areas in your annual internal audit
      3. Select Auditor/Audit Team: The general parameters are that the internal auditor must be independent of the team implementing your ISMS, and they must have a general understanding of ISO 27001 / Information Security.

        TIP: Just don’t mark your own homework!

      4. Plan the Audit: Develop an audit plan that outlines the audit objectives, scope, criteria, methodology, and schedule. 
      5. Conduct the Audit: Execute the audit according to the established plan. This involves reviewing documents, interviewing personnel, and observing processes to assess compliance with ISO 27001 requirements.
      6. Document Findings: Record all audit findings, including any non-conformities or areas of improvement. Document evidence to support your findings.
      7. Report Results: Prepare an audit report summarising the findings, conclusions, and recommendations. Ensure the report is clear, concise, and actionable.
      8. Communicate Results: Present the audit findings to relevant stakeholders, including management and those responsible for the ISMS. Discuss any corrective actions that may be required.
      9. Document Corrective Actions: Document non-conformities and monitor the implementation of corrective actions to address those identified. Verify that actions have been effectively implemented and that the ISMS is continually improving.
      10. Review and Improve: Evaluate the effectiveness of the internal audit process and identify opportunities for improvement. Use feedback to enhance future audits and the overall ISMS.

      It's essential to remember that internal audits should be conducted regularly as part of the organisation's ongoing efforts to maintain and improve its ISMS.


      TIP: Our general rule of thumb, do an internal audit at least annually!