ISO 27001 Internal Audits - Key things to know

ISO 27001 Internal Audits | The essential things you need to know to understand and tackle an ISO 27001 Internal Audit

What Is an Internal Audit under ISO 27001?

An internal audit is a documented review of your ISMS to evaluate whether it:

  • Conforms to your organization’s planned arrangements and the ISO 27001 standard.
  • Is effectively implemented and maintained.
  • Is capable of achieving your information security objectives.

Clause 9.2 of ISO/IEC 27001:2022 sets out the requirement for internal audits at planned intervals. These audits help you identify weaknesses, areas for improvement, and ensure continuous compliance.

How does it differ from the external ISO 27001 certification audit? 


While both internal and external audits assess your ISMS against the ISO 27001 standard, there are a few key differences between them:

Internal Audit 

External Audit

Conducted by your organization (or an independent third party not your cert body)

Conducted by a certification body (like us)

Aimed at ongoing improvement and readiness

Aimed at certifying or maintaining compliance

Flexible in timing and scope

Scheduled per certification cycle (Stage 1, 2, surveillance)

Identifies issues before the external audit does

Determines if your ISMS meets ISO 27001 requirements

Results used internally to drive corrective actions

Results used to make certification decisions

Why the Certification Body (AssuranceLab) Can’t Do This

While we’re here to assess your system for certification and surveillance purposes, we cannot perform your internal audit for you. This is because:

  • Independence and impartiality are key auditing principles. An internal audit must be conducted by someone independent of the activity being audited, including us as external certification auditors.
  • ISO/IEC 17021-1, the accreditation standard for certification bodies, prohibits us from participating in activities that would compromise our impartiality, such as designing, implementing, or auditing your ISMS internally.

If not the external auditor, who can perform an Internal Audit under ISO 27001? 

In short, there are two options; conduct the audit using internal resources or engage an independent third party. 

Option 1: Using internal resources 

There are clear requirements the internal auditor must follow to ensure the audit remains effective, objective, and compliant with ISO 27001 and ISO 19011 (guidelines for auditing management systems).

1. Independence & Objectivity
  • Key Rule - The nominated internal auditor must not audit their own work and must be independent of the area being audited.
2. Competence of the Auditor(s)
  • Key Rule - Auditors must be competent, meaning they need the knowledge, skills, and experience to evaluate ISO 27001 controls and processes.

If the above criteria are deemed to be met by an organisation, it may be possible to conduct the internal audit using internal resources. Check out our Internal audits: Key steps to get started’ article for more information on the key initial steps to begin the audit process.

 

Option 2: Engage an independent third party

Engaging a third-party is an alternative option to conduct the ISO 27001 Internal Audit. 

This approach can help ensure key criteria such as independence, objectivity, and auditor competence are met, all of which are critical to maintaining the integrity of your Information Security Management System (ISMS).

When selecting a third-party provider, it's important to carefully evaluate several factors to ensure they’re the right fit. Look for criteria such as industry-specific experience, a clear and relevant service offering, and the ability to assess your ISMS against the full requirements of the ISO 27001 standard.

You can explore our partner ecosystem below to find trusted providers to can support your ISO 27001 compliance journey. AssuranceLab Partners