Help Center

An internal audit is a systematic, independent review of your Information Security Management System (ISMS) to verify it meets ISO 27001:2022 requirements. It is required by Clause 9.2 of the standard and must be conducted at planned intervals — at minimum annually, and ideally before your certification or surveillance audit. The internal audit checks both conformity (does the ISMS meet the standard's requirements?) and effectiveness (is the ISMS actually working as intended?).

At minimum, you should have the following documents ready before an internal audit:

• ISMS scope document — defining what systems, processes, and locations are covered
• Information security policy — signed by top management
• Risk assessment — with identified risks, likelihood, impact, and treatment decisions
• Statement of Applicability (SoA) — listing all 93 Annex A controls with justification for inclusion or exclusion
• Risk treatment plan — showing how selected controls will be implemented
• Evidence of control implementation — access lists, scan reports, training records, incident logs

If any of these are missing, the auditor will note it as a finding. Better to know before the certification audit.

An internal audit is conducted by your own team or an independent consultant to identify gaps before the external auditor arrives. A certification audit is conducted by an accredited certification body (like BSI, Schellman, or A-LIGN) and results in an ISO 27001 certificate if you pass. Internal audits find and fix problems; certification audits verify that problems have been found and fixed. You need internal audit results as evidence for the certification audit.

For a typical startup or small company (under 100 employees, cloud-native infrastructure), an internal audit takes 5-8 business days from scoping to report delivery. Larger or more complex organizations may require more time. The audit itself involves document review, staff interviews, and evidence collection — most of which can be done remotely.

The audit follows a structured process: (1) Scoping — we define what is being audited and review your Statement of Applicability. (2) Document review — we review your policies, procedures, and risk assessment. (3) Control assessment — we walk through controls by domain, collect evidence, and interview key personnel. (4) Evidence collection — we verify that controls are not just documented but actually implemented and effective. (5) Report preparation — we compile findings with severity classifications. (6) Report delivery — you receive the written report and we conduct a follow-up Q&A session.

Findings are classified into three severity levels:

• Major nonconformity — A control is missing or completely ineffective. This is an audit failure risk for certification.
• Minor nonconformity — A control exists but has gaps in implementation or evidence. Must be addressed before the next surveillance audit.
• Observation — A potential improvement opportunity. Not a requirement, but recommended for strengthening the ISMS.

The audit report includes: an executive summary with overall ISMS maturity assessment, the audit scope and methodology, detailed findings grouped by control domain with severity ratings, corrective action recommendations for each finding, positive observations (what is working well), and a conclusion with readiness assessment for external audit.

A good corrective action has four parts: (1) Root cause analysis — why did the control fail? Not just "we forgot" but the systemic reason. (2) Corrective action — the specific fix you will implement. (3) Due date — when will it be completed. (4) Owner — who is responsible. For example: "Finding: No periodic access reviews. Root cause: No process or calendar reminder existed. Action: Implement quarterly access review using exported user lists from IdP, assign to IT Manager, complete by April 15."

Our standard ISO 27001 internal audit is a flat $300. This covers one complete audit engagement for a typical startup or small company scope.

The flat rate includes: audit plan tailored to your ISMS scope, document and policy review against ISO 27001:2022, staff interviews and control walkthroughs, written findings report with severity classifications, corrective action recommendations for each finding, and one follow-up Q&A session after report delivery. Not included: ISO 27001 certification (requires accredited certification body), on-site travel (audit is conducted remotely), and complex multi-entity scope (priced separately).