ISO 270018 min read

ISO 27001 Internal Audits: Requirements and Best Practices

Internal audits are a mandatory requirement for ISO 27001 and essential for maintaining an effective ISMS. This guide explains how to plan, conduct, and get value from your internal audits.

Key Takeaways

Point Summary
Required by Clause 9.2 - must be conducted at planned intervals
Purpose Verify ISMS conforms to requirements and is effectively implemented
Frequency At least annually, more often for higher-risk areas
Auditor requirements Must be objective and impartial (independence from areas audited)
Outputs Audit program, audit reports, findings, management reporting

Quick Answer: ISO 27001 requires internal audits at least annually. Auditors must be independent from the areas they audit. Findings must be reported to management and addressed through corrective actions. Complete internal audit before your certification audit.

Why Internal Audits Matter

ISO 27001 Requirement

Clause 9.2 mandates internal audits:

"The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms to the organization's own requirements for its information security management system;
b) conforms to the requirements of this document;
c) is effectively implemented and maintained."

(Note: ISO/IEC 27001 requires audits at "planned intervals" – the organization determines the frequency based on importance of processes and results of previous audits. Annual is common practice but not explicitly mandated by the standard.)

Purpose of Internal Audits

Purpose Benefit
Verify conformance Ensure ISMS meets requirements
Identify issues Find problems before external auditors
Drive improvement Discover enhancement opportunities
Demonstrate due diligence Evidence of systematic oversight
Prepare for certification Readiness check before external audit

Internal vs. External Audits

Aspect Internal Audit Certification Audit
Conducted by Internal staff or contracted Certification body
Frequency Typically annual (minimum) Initial + annual surveillance
Outcome Findings and recommendations Certification decision
Confidentiality Internal use Report to organization
Approach Can be more developmental Strictly verificational

Internal Audit Requirements

What ISO 27001 Requires

Requirement Details
Planned intervals Scheduled audit program
Defined criteria What's being audited against
Defined scope What areas/processes covered
Auditor objectivity Independence from areas audited
Documented process Procedures for auditing
Reported results Findings communicated to management
Retained records Evidence of audits conducted

Audit Program Elements

Internal Audit Program Requirements:

1. Planning:

  • Audit frequency (at least annual)
  • Audit scope (all clauses and controls over time)
  • Audit criteria (ISO 27001, policies, procedures)
  • Resource allocation

2. Execution:

  • Audit methods (interviews, document review, testing)
  • Auditor selection (competent and objective)
  • Audit conduct (per defined process)
  • Evidence collection

3. Reporting:

  • Findings documented
  • Nonconformities identified
  • Results reported to management
  • Corrective actions tracked

4. Follow-up:

  • Corrective actions verified
  • Effectiveness evaluated
  • Program reviewed and improved

Planning Your Audit Program

Audit Schedule

Option 1: Single Annual Audit

All ISMS areas audited at once, typically before external audit.

Pros Cons
Comprehensive snapshot Resource intensive
Efficient for small organizations May miss ongoing issues
Clear preparation timeline Single point of failure

Option 2: Rolling Audit Program

Different areas audited throughout the year.

Pros Cons
Distributed effort Requires more planning
Continuous oversight May have coverage gaps
Easier to resource More complex tracking

Sample Annual Audit Schedule

Annual Internal Audit Program:

Q1: Organizational Controls:

  • Policies and governance (5.1-5.8)
  • Asset management (5.9-5.14)
  • Incident management (5.24-5.28)

Q2: Access and People:

  • Access control (5.15-5.18)
  • People controls (6.1-6.8)
  • Clauses 4-5 (Context, Leadership)

Q3: Technical Controls:

  • Technological controls (8.1-8.34)
  • Physical controls (7.1-7.14)
  • Clauses 6-8 (Planning, Support, Operation)

Q4: Review and Improvement:

  • Vendor management (5.19-5.23)
  • Business continuity (5.29-5.30)
  • Clauses 9-10 (Evaluation, Improvement)
  • Pre-certification readiness review

Audit Scope Definition

For each audit, define:

Element Example
Areas/processes "Access management processes"
Clauses covered "Clauses 5.15-5.18, 8.2, 8.5"
Departments "IT, HR, Engineering"
Locations "London office, AWS infrastructure"
Period "January 1 - March 31, 2024"

Auditor Requirements

Competence

Internal auditors need:

Competence How to Achieve
ISO 27001 knowledge Training, certification
Audit skills Internal auditor training
Technical understanding Relevant experience
Interviewing skills Practice, training
Report writing Templates, guidance

Independence and Objectivity

Requirement Meaning
Cannot audit own work Don't audit processes you're responsible for
Objective No bias in findings
Free from influence Report findings without pressure

Solutions for small organizations:

  • Cross-audit between departments
  • Rotate audit areas each year
  • Use external internal auditors
  • Engage vCISO or consultant

Conducting Internal Audits

Audit Process

Internal Audit Process:

1. Preparation (1-2 weeks before):

  • Review scope and criteria
  • Review previous audit findings
  • Prepare audit checklist
  • Schedule interviews
  • Request documentation

2. Opening Meeting:

  • Introduce audit team
  • Confirm scope and schedule
  • Explain audit process
  • Address questions

3. Audit Execution (1-5 days):

  • Document review
  • Interviews
  • Observation
  • Evidence collection
  • Testing

4. Closing Meeting:

  • Present preliminary findings
  • Discuss observations
  • Agree on next steps
  • Thank participants

5. Reporting (1-2 weeks after):

  • Compile findings
  • Draft audit report
  • Classify findings
  • Distribute report

6. Follow-up:

  • Track corrective actions
  • Verify implementation
  • Close findings

Audit Techniques

Technique Use For
Document review Policies, procedures, records
Interviews Process understanding, awareness
Observation Physical controls, process execution
Testing Control effectiveness verification
Sampling Evidence of consistent operation

Sample Audit Checklist

Access Control (5.15-5.18):

Check Method Evidence
Access control policy exists and is current Document review Policy document, approval date
Access provisioning follows defined process Interview + sample Tickets for new hires
Access reviews conducted quarterly Records review Review documentation
MFA implemented for all users System check Configuration screenshot
Access removed promptly on termination Sample testing Termination records vs. access

Risk Management (Clause 6.1):

Check Method Evidence
Risk methodology defined Document review Risk procedure
Risk assessment conducted Records review Risk register
Risks assessed per methodology Sample review Assessment calculations
Risk treatment documented Document review Treatment plans
SoA complete and current Document review SoA document

Documenting Findings

Finding Categories

Category Definition Action Required
Major Nonconformity Significant failure in ISMS effectiveness Immediate corrective action
Minor Nonconformity Isolated issue not affecting overall ISMS Corrective action within timeframe
Observation Improvement opportunity Consider addressing
Positive Finding Good practice noted Continue, possibly share

Writing Effective Findings

Finding Structure:

Element Description
Reference Clause or control audited
Requirement What should be happening
Evidence What was observed
Classification Major/Minor NC, Observation

Example Finding:

Finding: NC-2024-003

Classification: Minor Nonconformity

Reference: ISO 27001 Clause 7.2 (Competence) / Control 6.3

Requirement: Personnel shall receive appropriate security awareness education and training.

Evidence: Review of training records showed 15 of 47 employees (32%) have not completed annual security awareness training. Training was due by December 31, 2023. Interviews confirmed lack of follow-up process for incomplete training.

Root Cause: No automated reminders or escalation for incomplete training.

Recommended Action: Implement automated reminder system and management escalation for incomplete training.

Audit Report Template

Internal Audit Report:

1. Executive Summary:

  • Audit scope and objectives
  • Overall conclusion
  • Key findings summary

2. Audit Details:

  • Audit dates
  • Auditor(s)
  • Interviewees
  • Documents reviewed

3. Findings:

  • Major nonconformities (if any)
  • Minor nonconformities
  • Observations
  • Positive practices

4. Statistics:

  • Controls audited: X
  • Conformant: X
  • Nonconformant: X
  • Observations: X

5. Conclusions:

  • ISMS conformance assessment
  • Readiness for certification (if applicable)
  • Key improvement areas

6. Appendices:

  • Detailed findings
  • Evidence references
  • Corrective action tracker

Corrective Action Management

Corrective Action Process

Corrective Action Process:

1. Finding Identified

2. Root Cause Analysis:

  • Analyze why it happened

3. Define Corrective Action:

  • What will be done
  • Who will do it
  • By when

4. Implement Action:

  • Execute the action

5. Verify Effectiveness:

  • Confirm effectiveness

6. Close Finding:

  • Document closure

Corrective Action Tracker

Finding ID Description Owner Due Date Status Verified
NC-2024-001 Missing access reviews IT Manager 2024-03-15 Closed Yes
NC-2024-002 Incomplete risk register CISO 2024-03-30 In Progress -
NC-2024-003 Training gaps HR Manager 2024-04-15 Open -

Common Audit Findings

Typical Findings by Area

Documentation:

  • Policies not reviewed annually
  • Procedures not matching practice
  • Missing required documents
  • Outdated documentation

Access Control:

  • Quarterly access reviews not conducted
  • Access not removed promptly on termination
  • Excessive privileged access
  • MFA not fully deployed

Risk Management:

  • Risk register not updated
  • Methodology not followed
  • Risks not linked to controls
  • SoA inconsistent with risk register

Training:

  • Training not completed
  • No training records
  • Training content outdated
  • New hires not trained promptly

Operations:

  • Controls operating differently than documented
  • Missing evidence of control execution
  • Inconsistent process execution
  • No monitoring of control effectiveness

Best Practices

Do's

Practice Benefit
Use checklists Consistency and coverage
Document everything Evidence for external audit
Focus on evidence Objective findings
Be constructive Drive improvement, not blame
Follow up promptly Ensure issues are resolved

Don'ts

Practice Risk
Rush the audit Miss issues
Accept verbal assurance No evidence for auditors
Ignore minor issues May become major
Delay corrective actions Issues compound
Audit your own work Conflicts with objectivity

The Bastion Approach

Streamlined Internal Audits

Bastion supports effective internal audits:

Challenge Bastion Solution
Audit planning Pre-built audit programs
Audit checklists Control-mapped checklists
Evidence collection Automated evidence gathering
Finding tracking Built-in corrective action management
Expert support vCISO audit facilitation

Internal Audit Options

Option Description
Self-audit with guidance Use Bastion tools and templates
vCISO-led audit Expert conducts audit
Hybrid approach Expert guidance with internal execution

Need help with your internal audit program? Talk to our team →

Sources

← PreviousISO 27001 Statement of Applicability (SoA): Complete GuideNext →ISO 27001 for Startups: A Practical Guide
Back to ISO 27001 guides