One of the most critical stages of the ISO 27001 Information Security Management System (ISMS) certification process and its sustainability is the internal audit. The ISO 27001 standard (Clause 9.2) requires organizations to conduct internal audits at planned intervals to verify whether the ISMS conforms to the standard requirements, their own defined policies, and legal regulations.
Internal audits are a proactive early warning mechanism that measures your organization's information security maturity, allowing you to detect and resolve potential security vulnerabilities and deficiencies before external auditors (certification audit) arrive. In this guide, we will cover step-by-step how to plan, implement, and report the ISO 27001 internal audit process.
What is ISO 27001 Internal Audit and Why is it Important?
An ISO 27001 internal audit is an independent and impartial review process conducted to evaluate the effectiveness, adequacy, and compliance of the Information Security Management System. Internal audit is not just a "checklist filling" activity, but a strategic management tool for continuous improvement of the system (PDCA - Plan-Do-Check-Act cycle).
The main benefits of internal audits to organizations are:
- Preparation for External Audit: Allows all nonconformities to be detected and resolved before the certification audit.
- Early Detection of Risks: Ensures that new threats to information assets or vulnerabilities in existing controls are noticed.
- Managerial Visibility: Provides objective evidence to senior management about how well information security policies are implemented in the field.
- Spreading the Security Culture: Increases employees' information security awareness and sense of responsibility along with the audit process.
Step-by-Step ISO 27001 Internal Audit Process
A successful internal audit requires a methodological and planned approach. The process generally consists of 4 main stages:
1. Planning and Preparation (Audit Planning)
A comprehensive audit plan must be prepared before the audit process begins. This plan should include:
- Audit Scope: Which departments, physical locations, and processes will be audited should be clarified.
- Audit Schedule: When the audit will start and how long it will take should be determined.
- Audit Team: Who will perform the audit (internal auditors) should be selected.
- Audit Criteria: ISO 27001 standard clauses, Annex A controls, and internal procedures should be taken as reference.
Important Rule (Objectivity and Independence): Auditors cannot audit their own processes. For example, the IT manager cannot audit the IT infrastructure they set up and manage. To ensure independence, trained personnel from different departments should perform cross-audits or professional support should be obtained from outside.
2. Audit Execution
On the day of the audit, auditors conduct interviews with relevant department managers and employees. At this stage, the following methods are used:
- Questioning and Interview: Employees' familiarity with information security procedures is measured.
- Evidence Collection: Tangible evidence (log records, approval forms, backup reports, access authorization lists) showing that policies and procedures are implemented is examined.
- Observation: The security of physical areas (clean desk/clean screen policy, server room entry controls, etc.) is observed on-site.
3. Reporting and Evaluation of Findings
After the audit is completed, the collected evidence is analyzed and an "Internal Audit Report" is prepared. Findings are generally classified into three categories:
- Major Nonconformity: Complete disregard of a requirement of the standard or major vulnerabilities that prevent the system from working (e.g., lack of a backup policy or no backups taken at all).
- Minor Nonconformity: Small deviations that do not disrupt the general system but need to be corrected (e.g., an employee not complying with the clean screen policy).
- Opportunity for Improvement (OFI): Process suggestions that comply with standard requirements but can be made more efficient.
4. Corrective Actions and Follow-up (CAPA)
A "Corrective Action" (CAPA) must be initiated by the relevant departments for each nonconformity specified in the report. In this process:
- The root cause of the nonconformity is analyzed.
- Actions are planned to eliminate the root cause.
- Target dates and responsible persons are determined for the actions.
- At the end of the specified period, internal auditors conduct a follow-up audit to verify the effectiveness of the corrective actions.
Independence Issue and Outsourcing in Small Companies
Especially in small-scale organizations such as SMEs and technopark companies in Ankara, it is very difficult to implement the principle of independence of internal auditors. Due to the limited number of personnel, employees may have to take on multiple roles, which prevents objective auditing.
In such cases, it is the healthiest solution to have the internal audit process run entirely by an independent and professional external eye. As LeonX, we analyze your company's business model and risk profile to offer objective and value-added Business and Management Consulting solutions.
Thanks to the independent internal audits we conduct with our expert auditors, we guarantee that you will successfully pass certification audits while offering strategic suggestions to improve your corporate processes. For detailed information, you can review our Information Security Policy Consulting page.
ISO 27001 Internal Audit Checklist (Sample Questions)
Some basic questions that auditors frequently ask during internal audits are:
- Leadership: How does senior management support information security objectives? Are management review meetings held regularly?
- Risk Management: Is the risk assessment methodology up-to-date? Have action plans been created for identified risks?
- Access Control: Are user authorizations in line with the "least privilege" principle? Is Multi-Factor Authentication (MFA) active on critical systems?
- Backup: Is a backup policy defined? Are backup restore tests performed and reported regularly?
- Physical Security: How are entry authorizations to the server room controlled and recorded?
To support your internal audit preparations and strengthen your ISMS infrastructure, you can review our guides belonging to other areas of expertise:
- To prepare for all questions auditors may ask: ISO 27001 Audit Questions
- For all steps of the certification process: ISO 27001 Certification Steps
- To draw your scope boundaries: ISO 27001 Scope Definition
- To analyze risks in your system: ISO 27001 Risk Assessment
- For control and management of access authorizations: ISO 27001 Access Control
- For network-level security controls: ISO 27001 and Network Security
- For auditing backup systems: The Role of Backup Policies
- For auditing cyber incident response processes: ISO 27001 and Cybersecurity Incidents
- To learn about the general structure of the standard: What is ISO 27001?
To conduct an impartial, professional, and value-adding ISO 27001 internal audit process in your organization and prepare fully for external audits, you can contact us at any time.
Frequently Asked Questions
How many times a year should an internal audit be performed?
The ISO 27001 standard does not specify a precise number; however, it requires audits to be conducted at "planned intervals." The generally accepted best practice is to conduct internal audits at least once a year (about 1-2 months before the certification or surveillance audit) to cover the entire system. This frequency can be increased for critical processes or frequently changing areas.
Should the internal audit report be shown to the external auditor?
Yes. External auditors (certification body auditors) want to check whether the organization's self-audit and improvement mechanism is working. Therefore, the internal audit plan, internal audit report, and records of corrective actions opened, if any, must be presented to the external auditor.
Does having nonconformities in the internal audit prevent us from getting certified?
No, on the contrary, it is a positive situation. Having nonconformities in the internal audit and initiating corrective actions for them shows that the system's self-improvement mechanism (PDCA) is actively working. External auditors may approach an internal audit report with "no nonconformities found" with suspicion. What is important is that the detected nonconformities have been closed or linked to a reasonable action plan before the external audit.
Conclusion
The ISO 27001 internal audit is the control mechanism that forms the heart of your Information Security Management System. A well-planned, impartial, and evidence-based internal audit process not only prepares your organization for external audits but also continuously moves your cybersecurity posture one step forward. Remember that organizations that can proactively detect and correct their own mistakes are always the most prepared against cyber threats.
