Preparation —

Running an ISO 27001 Internal Audit

ISO 27001 internal audits verify the ISMS, document findings, and drive continuous improvement to ensure compliance.

Share this article

Contents

No headings found on page

Running an ISO 27001 Internal Audit

An internal audit's job is to find problems before your certification body does. A clean internal audit with zero findings usually means the audit wasn't rigorous enough, not that the ISMS is flawless — and certification bodies know this, which is why a suspiciously spotless internal audit report can itself draw scrutiny. Required under Clause 9.2, the internal audit is one of two mechanisms (alongside management review) that ISO 27001 uses to verify the ISMS is actually working, not just documented.

Building the Internal Audit Plan

Before auditing anything, define the plan itself:

  • Scope — which clauses and which Annex A controls are being audited in this cycle. Most organizations can't audit everything in one pass; a rolling schedule across the certification period is normal and expected.

  • Objectives — what the audit is checking for: conformity to the standard, conformity to your own documented procedures, and operational effectiveness. These are three different questions, and an audit that only checks the first one misses the point.

  • Frequency — annual at minimum, but higher-risk areas (access control, incident response) often warrant more frequent checks.

  • Audit criteria — the specific standard, policy, or procedure each audit activity is being measured against.

A plan that skips this step and jumps straight to "let's review some controls" produces unstructured findings that are hard to defend to a certification auditor later.

Selecting Auditors

ISO 27001 requires auditor independence — whoever implemented or owns a control cannot be the one auditing it. For most small and mid-size organizations, this means either:

  • Internal staff from a different function (e.g., someone outside IT auditing IT controls), or

  • External auditors brought in specifically for this purpose

The independence requirement isn't a formality. An auditor reviewing their own work tends to find fewer issues — not from dishonesty, but because familiarity with a process makes its gaps less visible. If your organization is small enough that true independence is hard to achieve internally, that's a legitimate reason to bring in outside help rather than stretch the definition of "independent."

Conducting the Audit

A rigorous internal audit checks two distinct things, and conflating them is a common mistake:

  1. Documentation review — does the policy, procedure, or record exist, and does it say what it should?

  2. Control operation — is the control actually functioning the way the documentation describes, in practice, right now?

A policy that reads well but doesn't match what's actually happening operationally is itself a finding. Auditors should sample real evidence — access logs, ticket histories, configuration exports — rather than relying on a control owner's verbal confirmation that "it's working."

For the broader requirements this audit is checking against, see What Are the ISO 27001 Requirements? and Exploring ISO 27001 Clauses 4-10

Documenting Findings

Every finding needs to be logged with enough detail that someone outside the audit can understand and act on it:

  • What was checked, and against what criteria

  • What was found, including evidence

  • Severity — whether it's a nonconformity, an observation, or an opportunity for improvement

  • An assigned owner and target date for corrective action

Vague findings ("access control needs improvement") are functionally useless. A finding should be specific enough that the corrective action it produces is obvious: "Three terminated employees retained system access for 14+ days past offboarding" tells you exactly what to fix.

Closing the Loop

An internal audit that produces findings but no follow-through is worse than not auditing at all — it creates a paper trail showing you knew about a gap and didn't close it. Findings need to feed into a corrective action process with root cause analysis and verification that the fix actually worked, not just that something was logged and closed.

This connects internal audits directly to Clause 10 — continual improvement only functions if audit findings actually change something. For how this fits into the broader certification timeline, see ISO 27001 Compliance Checklist Essentials, and for what happens after internal audits are complete, see Preparing for an ISO 27001 Audit

In the Spotlight

Start your ISO 27001 compliance journey with DSALTA's complete checklist.

ISO® 27001 is the international gold standard for information security management systems (ISMS). Certification shows your organization can manage sensitive information securely and reliably.

Although ISO 27001 looks challenging, DSALTA®’s automation makes it easier: mapping risks, collecting evidence, and monitoring controls in real time. This checklist gives you a clear step- by-step roadmap.

Read more about ISO 27001 certificate with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.