866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

What You Need to Know About ISO 27001 Internal Audits Blog Feature
Mike Somody

By: Mike Somody

Print/Save as PDF

What You Need to Know About ISO 27001 Internal Audits

ISO 27001 | Internal Audits

Published: Apr 3, 2025

A critical component of the ISO 27001 framework is the internal audit defined in Clause 9.2. The internal audit is designed to evaluate the effectiveness and compliance of your Information Security Management System (ISMS).   

Despite its importance however, the ISO 27001 internal audit process can be challenging to navigate, particularly for those unfamiliar with the intricacies of Clause 9.2. Its complexity can lead to confusion around the steps involved and how to best prepare. Fortunately, Schellman is experienced in providing ISO 27001 internal audit and certification services and we’re here to tell you what you need to know. In this blog, we’ll cover the key aspects of the ISO 27001 internal audit and how to best be prepared to execute them. 

The ISO 27001 Internal Audit Explained 

The internal audit is a systematic and independent process that helps an organization assess whether its ISMS complies with the requirements of ISO 27001. It evaluates an organization’s implementation of information security against the scope of their ISMS and helps identify gaps, inefficiencies, and areas for improvement within the ISMS. The internal audit is essential for ensuring not only compliance with the ISO 27001 standard, but also for fostering a mature and continually improving ISMS. 

The Difference Between Internal and External Audits  

Internal and external audits largely follow the same guidelines and principles, with a focus on compliance with the ISO 27001 standard. The purpose behind each is where the differences become clearer. 

Your internal audit allows for more scope flexibility – those high-risk areas or problem child risks your organization has identified can be an area of focus and reflected in your audit planning. Your annual audit of the clauses must happen, but you are afforded the opportunity to dig and improve on areas viewed as most important to your organization. 

An external audit is going to do much of the same; ensure compliance with the ISO 27001 standard and make sure that certification compliance has been properly maintained. An obvious difference is that an external audit is performed by an independent third party, where an internal audit can be performed by any qualified individual independent of the ISMS. 

In summary, an internal ISO 27001 audit is more about checking internal compliance and improving the ISMS, while an external ISO 27001 audit focuses on verifying compliance for certification by an independent body. 

Who Can Conduct Your Internal Audit   

When selecting the audit team who will be responsible for conducting internal audit activities, objectivity and impartiality must be maintained. Your internal auditors are typically trained in ISO 27001 and may be from the internal audit department or the information security team and report their results to the ISMS management team. Not only should the audit team you choose take care to ensure they are not auditing functions over which they have direct operational control or ownership, but impartiality is equally as important when considering the auditors who will be reviewing your ISMS against the standard. 

How Often to Conduct an Internal Audit 

Conducting an audit or planning one against yourself is not in most people’s job descriptions, but ISO 27001 does require a specific frequency to maintain compliance. As part of initial certification activities, an internal audit must be conducted and executed against the requirements of the standard Clause 9.2. Following that successful initial certification audit, your first surveillance review, or first follow-up external audit, must be conducted within 12 months. This timeline will dictate at a high level by what time you need to complete your next internal audit, and moving forward, at least an annual cadence of an internal audit in preparation for your external audit must be completed. 

The Steps in the Internal Audit Process 

The ISO 27001 internal audit process involves several key steps, each designed to ensure compliance with the standard while identifying areas for improvement. Here’s a closer look at the critical stages of the internal audit process: 

1. Audit Planning

Before the audit, an audit plan is developed to define the scope, objectives, and schedule of the audit. It involves identifying which areas of the ISMS will be reviewed and who will be responsible for each part of the audit process. 

2. Conducting the Audit

Auditors gather evidence through interviews, document reviews, and inspections of processes and controls. This phase helps determine whether the organization’s ISMS complies with ISO 27001 and operates effectively. 

3. Audit Findings and Reporting

After the audit, auditors compile findings, highlighting any non-conformities, opportunities for improvement, and recommendations for enhancing the ISMS. These findings are then presented to management. 

4. Corrective Actions

Based on the audit findings, the organization must take corrective actions to address any non-conformities or weaknesses. These actions are tracked and monitored to ensure they are implemented effectively. 

5. Follow-up Audits

In some cases, follow-up audits may be necessary to verify that corrective actions have been successfully implemented and that improvements have been made. 

Tips to Prepare for Your ISO 27001 Internal Audit 

So, what’s next? Now that you better understand what the ISO 27001 internal audit is, the purpose behind it, and the steps involved, here are some tips to make sure you are prepared for a successful internal audit. 

  • Understand ISO 27001 Requirements 

    • Familiarize Yourself with the Standard: Make sure you have a solid understanding of ISO 27001, its clauses, and controls. This will help you assess the ISMS against the requirements.
    • Review the ISMS Scope: Understand the scope of your organization's ISMS, including the processes, departments, systems, and data covered by the audit. 

  • Review Internal Policies and Procedures

    • Ensure Alignment with ISO 27001: Review all relevant policies, procedures, and controls to ensure they align with the ISO 27001 standard. This includes areas such as risk management, asset management, incident management, and objective and metric monitoring.
    • Check Document Control: Verify that all ISMS-related documents are up-to-date, properly stored, and easily accessible. 

  • Check Risk Assessment and Treatment Plan

    • Verify Risk Management Process: Ensure that your risk assessment process is current and that the risk treatment plan is being followed. Confirm that identified risks have been mitigated, transferred, accepted, or avoided as per the treatment plan. 

  • Review the Security Controls 

    • Ensure Control Implementation: Check that all security controls (such as access control, encryption, physical security, etc.) are in place and function as intended. The audit should verify whether controls are adequately implemented, monitored, and reviewed.
    • Validate the Effectiveness of Controls: Ensure that controls are not just documented but are also effectively reducing risk. For instance, test whether access controls prevent unauthorized access to sensitive information. 

  • Prepare Evidence and Records

    • Gather Supporting Documentation: Collect evidence that demonstrates the effectiveness of your ISMS. This includes incident logs, training records, risk assessments, audit logs, and evidence of corrective actions taken.
    • Review Past Audit Findings: Ensure that corrective actions from previous audits or reviews have been implemented and validated. 

  • Conduct Internal Training

    • Audit Team Awareness: Ensure the internal audit team understands the audit process, ISO 27001 requirements, and how to assess compliance. Training helps the team remain objective and focused during the audit.
    • Staff Awareness: It’s good practice (and a clause in the standard itself) to raise awareness among staff members about the importance of ISO 27001, the internal audit process, and their role in maintaining information security. 

  • Plan the Audit

    • Define Audit Objectives and Scope: Clearly define the objectives of the audit, the areas to be audited, and the scope. Focus on critical areas that may pose higher security risks.
    • Create an Audit Schedule: Develop a schedule for the audit, specifying when and where each part of the audit will take place, and who will be involved. 

Beginning Your ISO 27001 Internal Audit Journey 

The internal audit component of ISO 27001 is vital for maintaining an effective and compliant ISMS. By thoroughly preparing and understanding the requirements of the internal audit, you’ll be able to gain efficiency and continue to improve the ISMS as your certification cycle moves forward.   

If you’re ready to begin your ISO 27001 internal audit or certification journey, Schellman can help. Contact us today to learn more about our services and we’ll get back to you shortly. In the meantime, to help understand some of ISO 27001’s other complexities and updates, check out our other content to ensure you’re much more prepared for certification: 

About Mike Somody

Mike Somody is an ISO Senior Associate with Schellman. Prior to joining Schellman in 2022, Mike worked as a Senior, Business Consultant at a Big 4 Accounting firm, specializing in Technology Risk (SOX 404/ITGC compliance). Mike also led and supported various other projects, including SDLC Implementation Evaluations, Application Controls Testing, as well as other Internal and External IT audits. Mike additionally has experience with CSA STAR and TISAX assessments. Mike has over 5 years of experience comprised of serving clients in various industries, including Healthcare, Industrial Products, Consumer Goods, and Real Estate. Mike is now focused on ISO 27001, 9001, and 22301 certifications, as well as CSA STAR and TISAX reporting for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.