ISO 27001 Internal Audit

ISO 27001 Internal Audit

An ISO 27001 Internal Audit is a critical part of both achieving and maintaining valid ISO 27001 Certification for your business.

As part of ISO 27001 certification and separate from external audits, regular internal audits must be performed in order to help you identify areas for improvement and to ensure an organisation has best practice processes in place, keeping both your sensitive corporate information and personal data protected.

The ISO 27001 Internal Audit process schedules periodic checks performed by businesses validating whether your ISMS (information security management system) continues to meet the requirements of the ISO 27001 standard.

By having a regularly scheduled set of ISO 27001 Internal Audits an organisation is able to identify issues early, which can cause gradual deviations from the business’s own interpretation of best practice, and a potential lapse of their ISO 27001 Certification.

ISO 27001 internal audits are typically scheduled at least once per year and typically cover all of the activities you undertake with regular management review meetings to review observations, typically occurring between one and four times a year.

An ISO 27001 internal audit should not be considered a quick fix, but as a continuous process of investigation, analysis and improvement of the ISMS, providing a defined process to improve both the systems and the overall effectiveness of security controls within an organisation.

It is considered that a concerted approach to improvements over several audits is a better approach than a single audit that attempts to do too much at once.

The ISO 27001 internal audit process can be performed either internally by the business on their own systems as part of the maintenance of their Information Security Management System, or by a third party who can carry out the Internal Audits on their behalf.

For many organisations, the ISO 27001 internal audit process can also pose a challenge, because unlike ISO 27001 implementation, there is no formalised internal audit methodology to follow.

It is common practice to outsource this activity which ensures the three pillars of internal auditing are preserved: competency, objectivity and impartiality.

The selection of auditors and conduct of audits is an important part of the process to ensure objectivity and impartiality of the ISO 27001 internal audit process.

Our ISO 27001 Internal Audit service provides collaborative support to your business by conducting and documenting a systematic, independent and objective internal audit, helping you uphold the requirements of your ISO 27001 certification.

Fast Track Your ISO 27001 Internal Audit

Request a free ISO 27001 Internal Audit Consultation



Our ISO 27001 internal audit begins with a kick-off management meeting,  discussing status and importance of the processes, areas to be audited, as well as the results of previous audits to set clear limits for what is to be audited.

In the case of large organisations, we may need to review the ISMS in operation in all (or at least a representative sample) business locations.

Whilst Internal Audits are formal records, JAW Consulting UK will seek to establish a collaborative approach to conduct these in an atmosphere of friendliness and co-operation. This ensures the internal audit is a constructive, mutually beneficial activity and not seen as way of catching people out.

A pre-audit survey will involve our auditor identify and contact the main stakeholders in the ISMS, requesting ISMS-specific and related documentation for review. This will enable us to identify any specific audit tests to determine how closely the ISMS follows the documentation in relation to ISO 27001.

Following this, our auditor prepares the audit checklist and schedule of what processes should be reviewed, when and what evidence needs to be collected, ensuring the ISO 27001 internal audit is conducted in an orderly and systematic way.

Before beginning the audit, we explain to the auditee the purpose of the audit and how it will be performed and reported on. Make sure the latest documented information for the procedure is available so that you can both refer to it.

During the audit, any problems identified with the auditee will be recorded and discussed to determine a programme of corrective and preventive action that will define how the team/department/business can correct or prevent future occurrences (such as further training, adjusting the process, updating documentation etc.) and when these actions should be achieved by.

Following the completion of the internal audit, we will analyse all our findings and write up our ISO 27001 internal audit report.

The final step is the presentation of the report at a management review meeting, where findings are presented and recommended corrective actions. Whether the responsibility for this corrective actions is with the auditor (Optional) or the auditee, this will be discussed and agreed during the audit.

Key Benefits

✓   Provides competency, objectivity, and impartiality to your ISO 27001 internal audit.

✓   Validates your ISMS remains compliant with the ISO 27001 standard

✓   Identify non-conformities which need to be addressed

✓   Identify opportunities for improvements of the ISMS


Our Methodology

Step 1: Kick-Off Management Meeting (Off- Site or On-Site)

  • Early stage meeting enabling both parties the opportunity to raise any questions or concerns.
  • Ensure management support and sufficient internal resources for the audit.
  • Identification of main ISMS stakeholders
  • Agree checkpoints to provide interim updates to the management team (if required)

Step 2: Pre-Audit Survey (Off- Site)

  • Identification of main ISMS stakeholders
  • Identify all business locations (or representative sample) to review ISMS in operation
  • Request documentation for review
  • Review Statement of Applicability, ISMS Policy, previous ISMS reports
  • Define the clear scope of what needs to be audited
  • Define explicitly out of scope areas

Step 3: Documentation Review (Off-Site)

  • Reviewing all ISMS and supporting documentation
  • Confirm documentation matches ISMS scope
  • Create Audit Checklist with specific audit tests to validate alignment with ISMS documentation

Step 4: Create Audit Plan (Off-Site)

  • Identification of departments/locations to visit
  • Identify key focus/high-risk areas
  • Create a detailed audit plan with schedule and timing
  • Confirm on-site requirements have been provided
  • Walk-through of engagement activities, and agree roles and resource availability.
  • Provide questions to support information gathering in advance of on-site workshop & Gap Analysis.

Step 5: Conduct Audit (On-Site and Off-Site)

  • Record observations of ISMS processes in operation
  • Check of computers and associated equipment
  • Record observations of physical security
  • Collection of evidence to support audit tests

Step 6: Findings Analysis (Off-Site)

  • Sort and Review collected evidence in-line with risk treatment plan and control objectives.
  • Identification of any evidence gaps
  • Identification of any areas requiring further audit tests

Step 7: Reporting

  • An introduction clarifying the scope, objectives, timing, and extent of the work performed.
  • An executive summary covering the key findings, high-level analysis, and a conclusion.
  • An in-depth analysis of the findings.
  • Conclusions and recommended corrective actions.

Step 8: Management Review Meeting (Onsite or Offsite)

  • Walkthrough of the ISO 27001 Internal Audit Report
  • Presentation of findings and recommendations to ensure ISO 27001 certification
  • Agreement of Corrective Action Plan and action owners
  • Update of Audit Plan (if required)

Step 9: Follow-Up

  • Ensure Non-Conformities are addressed by action owners
  • Provide support for remediation of Non-Conformities or Improvement (Optional)


  • Total:       Dependant on Scope
  • Onsite:    Dependant on Scope
  • Remote:  Dependent on Scope


  • ISO 27001 Internal Audit Plan- A clear plan which documents and defines the ISO 27001 audit criteria, scope, and methods.
  • ISO 27001 Internal Audit Report–A summary report on findings confirming what was found during the internal audit,  recommendations, and any actions that agreed with the auditee to address those issues.
  • ISO 27001 Internal Audit Management Review Meeting –A walkthrough of the ISO 27001 audit report with the management team so that recurring issues can be identified and opportunities to improve found, helping to drive continual improvement within the business.

Optional Related services

  • ISO 27001 Gap Analysis & Scoping
  • ISO 27001 Risk Assessment
  • ISO 27001 Remediation Planning
  • ISO 27001 ISMS Framework Development
  • ISO 27001 Policy & Documentation Support
  • ISO 27001 Pre-Assessment Review
  • ISO 27001 Management Platform

Learn how we can help you achieve and maintain your organisations compliance with our ISO 27001 Internal Audit.

Contact Us.