ISO 27001 internal audits

It should test whether your information security management system is working in practice, whether risks are being reviewed, whether controls are being maintained, and whether the organisation is ready for external audit.

​

ID Risk and Compliance provides ISO 27001 internal audit support for organisations that need an independent, practical review of their ISMS. We help businesses identify gaps, review evidence, test Annex A controls and prepare for certification, surveillance or recertification audits.

​

Our approach is designed to be useful, proportionate and focused on real information security risk.

​

Why ISO 27001 internal audits matter

​

Internal audits are a core part of ISO 27001. They help the organisation check whether the ISMS conforms to the standard, meets the organisation’s own requirements, and is being properly implemented and maintained.

​

However, internal audits are often treated as a paperwork exercise. A checklist is completed, a few documents are reviewed, and the audit is filed away until the next external assessment.

​

That approach can miss important weaknesses.

​

A strong ISO 27001 internal audit should look at how the system works in practice. It should consider whether the risk assessment is current, whether the Statement of Applicability reflects reality, whether selected controls are operating effectively, whether responsibilities are clear, and whether the organisation has evidence to support what it says it does.

​

This gives senior management a clearer view of whether the ISMS is genuinely protecting the business or simply existing as a set of documents.

​

What an ISO 27001 internal audit should cover

​

The scope of an ISO 27001 internal audit should be based on the organisation, its risks, its previous findings, its certification status and the maturity of the ISMS.

​

An audit may include a review of the ISMS scope, context, interested parties, leadership responsibilities, information security policy, risk assessment methodology, risk treatment plan, Statement of Applicability, objectives, competence records, awareness arrangements, communication, documented information, operational planning, performance evaluation, internal audit programme, management review and continual improvement.

​

It should also include a practical review of relevant Annex A controls. This may cover areas such as policies for information security, roles and responsibilities, segregation of duties, asset management, acceptable use, access control, supplier relationships, cloud services, incident management, business continuity, backup arrangements, logging and monitoring, vulnerability management, secure configuration, data protection, physical security and secure development where applicable.

​

The purpose is not to audit every control in the same depth every time. The purpose is to focus on the areas that matter most to the organisation and to build an audit programme that gives meaningful assurance over time.

​

Auditing the Statement of Applicability

​

The Statement of Applicability is a key part of an ISO 27001 internal audit.

​

It should explain which Annex A controls are applicable, which are not applicable, why decisions have been made, and how applicable controls are implemented. It should also connect back to the risk assessment and risk treatment plan.

​

During an internal audit, the SoA should be tested against reality.

​

Are the controls marked as implemented actually operating?

Are exclusions still justified?

Do the implementation descriptions match current practice?

Have new systems, suppliers, processes or risks changed the applicability of any controls?

Is there evidence to show that controls are being maintained?

​

This is particularly important for organisations that have changed since certification. New software, new data flows, new customers, new suppliers, remote working changes, staff changes and new contractual requirements can all affect the accuracy of the Statement of Applicability.

​

An internal audit helps identify those changes before they become a problem during an external audit.

​

Testing evidence, not just documents

​

ISO 27001 internal audits should not be limited to reading policies.

​

Policies are important, but they need to be supported by evidence that the organisation is doing what it says it does.

​

This evidence might include access review records, supplier reviews, staff training records, incident logs, backup reports, vulnerability scans, change records, asset registers, risk treatment actions, management review minutes, internal communications, audit trails, configuration screenshots, business continuity tests, corrective action records and meeting notes.

​

The audit should consider whether the evidence is current, complete and reliable. It should also check whether evidence is easy to locate and whether staff understand the processes they are responsible for.

​

This helps avoid the common situation where a business has written procedures, but cannot demonstrate that those procedures are being followed consistently.

​

Preparing for external ISO 27001 audits

​

A well-planned internal audit can significantly reduce the pressure of an external ISO 27001 audit.

​

Before a certification, surveillance or recertification audit, an internal audit can help identify weak areas, missing evidence, outdated documents and actions that need to be completed. It can also help the organisation prepare staff for the types of questions an external auditor may ask.

​

This does not mean rehearsing answers or creating artificial evidence. It means making sure the business understands its own system and can explain how information security is managed in practice.

​

For many organisations, this is where independent internal audit support is particularly valuable. An external reviewer can challenge assumptions, spot gaps that internal teams may overlook, and provide a clearer view of audit readiness.

​

Independent internal audit support

​

Internal audits need to be objective and impartial. This can be difficult when the person responsible for maintaining the ISMS is also expected to audit it.

​

For smaller businesses, this is a common problem. The same person may manage the risk register, update the Statement of Applicability, maintain policies, gather evidence and prepare for external audits. Asking that person to independently audit their own work is not ideal.

​

ID Risk and Compliance can provide independent ISO 27001 internal audit support to help address this issue. We can review the system from an external perspective, test evidence, interview relevant staff and provide clear findings that help the business improve.

​

This can support impartiality, strengthen the internal audit programme and give senior management more confidence in the results.

​

What you receive from an ISO 27001 internal audit

 

The output of an internal audit should be clear, useful and action-focused.

​

Following an audit, you should understand what was reviewed, what evidence was sampled, what was working well, where gaps were found, and what actions are needed.

​

Findings may include nonconformities, observations, improvement opportunities or recommendations, depending on the issue. The aim is not to produce a long list of minor comments for the sake of it. The aim is to identify matters that could affect the effectiveness of the ISMS, the strength of information security controls, or the organisation’s ability to demonstrate compliance.

​

A good internal audit report should help the business take action, not just satisfy a requirement.

​

Who this service is for

​

ISO 27001 internal audit support is suitable for organisations preparing for certification, organisations already certified to ISO 27001, and businesses that need an independent review of their ISMS.

​

It is particularly useful if your internal audit programme is behind schedule, if your external audit is approaching, if your Statement of Applicability has not been tested recently, if your risk assessment needs review, or if internal staff do not have the time or independence to audit the system properly.

​

It may also be useful where the organisation has changed significantly since the last audit, introduced new systems, changed suppliers, expanded services, taken on new customer security requirements, or experienced security incidents.

​

How ID Risk and Compliance can help

​

ID Risk and Compliance provides practical ISO 27001 internal audit support tailored to your organisation.

We can audit your ISMS against ISO 27001 requirements, review the operation of Annex A controls, test evidence, assess audit readiness, identify gaps and provide a clear report with practical actions.

​

Our audits are designed to support improvement as well as compliance. We focus on whether the system reflects how the business actually operates, whether risks are being managed effectively, and whether the organisation can demonstrate that its information security controls are working.

​

Need an independent ISO 27001 internal audit?

​

ID Risk and Compliance can help you review your ISMS, test controls, identify gaps and prepare for your next certification, surveillance or customer audit.

​

Contact us to discuss ISO 27001 internal audit support for your organisation.