Internal Audit (ISO 27001)

Internal audit is a systematic and independent review of your ISMS that verifies whether the organisation actually complies with ISO 27001 requirements in practice. It is a mandatory requirement in the standard and serves as the organisation's self-assessment before the external certification audit takes place.

Back to Dictionary

What is an internal audit?

An internal audit is a planned review of the organisation's ISMS, conducted by the organisation's own staff or an external party on behalf of the organisation. The purpose is to assess whether the ISMS meets ISO 27001's requirements and whether it is effectively implemented and maintained.

The internal audit is required by ISO 27001 Clause 9.2 and must be conducted at regular intervals. Results from internal audits are an important part of the input to the management review.

Purpose and requirements

The internal audit serves two overarching purposes:

Conformity assessment: Verify that the ISMS meets the organisation's own requirements and the requirements in ISO 27001.
Effectiveness evaluation: Assess whether the ISMS is actually implemented and maintained in practice.

ISO 27001 sets specific requirements for the internal audit: there must be an audit programme, auditors must be impartial (they must not audit their own work), and results must be documented and reported to management.

The audit process

A typical internal audit follows these steps:

Planning: Define audit scope, criteria and methodology. Appoint impartial auditors.
Preparation: Review documentation, prepare checklists and agree timings with those affected.
Execution: Conduct interviews, observe processes and review documentation and evidence.
Reporting: Document findings, non-conformities and observations in an audit report.
Follow-up: Initiate corrective actions for identified non-conformities.

Document everything: ISO 27001 requires that the results of the internal audit are retained as documented information. The audit report is a key document that the external auditor will review during the certification audit.

Non-conformities and corrective actions

When an internal audit identifies non-conformities, the organisation must initiate corrective actions. This involves analysing the root cause of the non-conformity, implementing a solution and verifying that the solution is effective. All these steps must be documented (Clause 10.1).

Frequently Asked Questions about Internal Audit (ISO 27001)

What is an internal audit in ISO 27001?

An internal audit is a systematic, independent review of the organisation's ISMS. The purpose is to assess whether the ISMS meets ISO 27001's requirements and is effectively implemented. Internal audit is a mandatory requirement in the standard (Clause 9.2).

Can internal auditors audit their own work?

No. ISO 27001 requires that auditors are impartial and do not audit their own work. This is the objectivity requirement. In smaller organisations, this may mean engaging an external consultant as the internal auditor.

How often should internal audits be conducted?

ISO 27001 requires that internal audits are conducted at planned intervals. In practice, at least once per year is the standard. Frequency can be adjusted based on the importance of the processes in question and previous audit results.

What happens if non-conformities are found during an internal audit?

The organisation must initiate corrective actions: analyse the root cause, implement a solution and verify its effectiveness. All steps must be documented. Non-conformities must be resolved before the external certification audit to avoid issues.

Who can conduct an internal audit?

Internal audits can be conducted by the organisation's own staff or by an external party on the organisation's behalf. The key requirement is that auditors must be impartial and competent. They must not audit processes they are directly responsible for.