Best Practices for ISO 27001 Internal Audit

The internal audit is the mechanism that keeps your ISO 27001 ISMS honest. Done well, it identifies weaknesses before your certification body does and drives genuine improvement in your security posture. Done poorly, it becomes a check-the-box exercise that adds cost without value. Here is how we advise clients to build an internal audit program that actually works.

ISO 27001 Clause 9.2 requires organizations to conduct internal audits at planned intervals to determine whether the ISMS conforms to the organization's own requirements and the requirements of the standard, and whether it is effectively implemented and maintained. This sounds straightforward, but the difference between organizations that treat internal audit as a compliance obligation and those that use it as a genuine improvement tool is significant -- and auditors from certification bodies can tell the difference immediately.

This guide covers the full internal audit lifecycle: planning and program design, execution techniques, finding categorization, and follow-up processes that turn audit results into measurable improvements.

Planning the Internal Audit

Build a Risk-Based Audit Program

ISO 27001 does not require you to audit everything at the same depth every cycle. It requires a risk-based audit program, which means allocating more audit time and scrutiny to higher-risk areas. In practice, this means:

• High-risk areas (areas with recent incidents, new systems, significant changes, or previous nonconformities) receive detailed audit attention
• Medium-risk areas (stable processes with moderate change) receive standard audit coverage
• Low-risk areas (mature, stable processes with strong track records) can receive lighter-touch verification

A practical approach is to create a three-year audit program that ensures complete ISMS coverage within each certification cycle while varying the depth based on risk:

Audit Cycle	High-Risk Areas (Detailed)	Medium-Risk Areas (Standard)	Low-Risk Areas (Verification)
Year 1	Access control, incident response, risk assessment	Change management, HR security, asset management	Physical security, communications
Year 2	Change management, supplier management, business continuity	Access control, incident response, logging and monitoring	HR security, asset management
Year 3	Risk assessment, cryptography, network security	Supplier management, business continuity, physical security	Change management, incident response

What we tell clients is that your risk-based audit program should evolve each year based on what you learned in the previous cycle. Areas where you found nonconformities should receive elevated scrutiny in the following cycle. Areas that have been clean for multiple cycles can be reduced.

Ensure Auditor Independence

Clause 9.2 requires that auditors do not audit their own work. This is the independence requirement, and it is non-negotiable. There are several models for achieving independence:

Internal cross-department auditing. Train employees from different departments to audit each other. The IT security manager audits HR processes; the HR manager audits IT processes. This is cost-effective but requires investment in auditor training.

Dedicated internal audit function. Larger organizations may have an internal audit team that is organizationally separate from the teams they audit. This provides the strongest independence for internal audits.

External internal audit services. Hire a consulting firm to conduct your internal audit. This provides both independence and expertise but comes at a higher cost. Note that your certification body cannot serve as your internal auditor -- this would create a conflict of interest.

Hybrid model. Use internal auditors for most areas but bring in external specialists for high-risk or technically complex areas. In our experience, this is the most effective model for mid-sized organizations.

Regardless of the model, document auditor assignments and their basis for independence. Certification body auditors will review this as part of their assessment.

Define the Audit Scope and Criteria

Before each audit engagement, document:

• Scope: Which ISMS processes, departments, locations, and controls will be audited
• Criteria: The specific requirements against which you are auditing (ISO 27001 clauses, Annex A controls, internal policies, and procedures)
• Objectives: What the audit aims to determine beyond basic conformance (for example, effectiveness of recent changes, adequacy of new controls)
• Methods: How the audit will be conducted (document review, interviews, observation, technical testing)

Create a Scope-Aligned Checklist

Your audit checklist should map directly to your Statement of Applicability and the ISO 27001 clauses. For each applicable control, the checklist should include:

• The control reference and description
• The expected evidence (what you expect to see)
• The interview targets (who to speak with)
• The sampling approach (how many records, which timeframe)
• Space for findings and evidence references

A well-structured checklist ensures consistency across auditors and audit cycles. It also serves as a training tool for less experienced auditors.

For a comprehensive view of ISO 27001 requirements to build your checklist against, see our ISO 27001 requirements checklist.

Executing the Internal Audit

Opening Meeting

Every audit engagement should begin with an opening meeting that includes:

• Confirmation of audit scope, criteria, and objectives
• Introduction of the audit team and their roles
• Confirmation of the audit schedule and logistics
• Agreement on finding categories and reporting format
• Identification of any constraints or concerns from auditees

The opening meeting sets the tone. We advise auditors to be clear that the audit is about improving the ISMS, not about catching people doing things wrong. This reduces defensiveness and improves the quality of information you receive during the audit.

Evidence-Based Auditing Techniques

Strong internal audits rely on multiple evidence sources rather than accepting any single source at face value. The four primary evidence gathering techniques are:

Document review. Examine policies, procedures, records, logs, and reports. Look for:

• Currency: Are documents up to date and reviewed within their defined review cycle?
• Completeness: Do documents address all required elements?
• Consistency: Do documents align with each other and with actual practice?
• Approval: Are documents formally approved by appropriate authorities?

Interviews. Speak with personnel at multiple levels to verify understanding and implementation. Effective interview techniques include:

• Ask open-ended questions ("Walk me through how you handle a security incident") rather than leading questions ("You follow the incident response procedure, correct?")
• Interview multiple people in the same role to verify consistency
• Ask for specific recent examples rather than hypothetical descriptions
• Follow up on vague answers with requests for evidence

Observation. Watch processes being performed in real time where possible. This is particularly valuable for:

• Physical security controls (access control, visitor management, clean desk)
• Operational procedures (change management, backup processes)
• Security awareness behaviors (screen locking, badge usage)

Technical verification. Where feasible, verify technical controls directly:

• Review access control lists against the principle of least privilege
• Verify encryption configurations against policy requirements
• Check log aggregation and alerting configurations
• Test backup restoration procedures

Sampling Strategy

You cannot audit every record, every system, and every employee. Sampling is essential, but it must be defensible. We recommend:

Population Size	Minimum Sample Size	Basis
1-10	All	Full population review
11-50	10	Approximately 20-25%
51-100	15	Diminishing returns above this
101-500	20-25	Statistical adequacy
500+	25-30	Standard audit sampling

Apply judgment-based sampling adjustments:

• Increase sample size for high-risk areas
• Include recent items (last 30 days) to check current practice
• Include items from different time periods to check consistency
• Include items from different systems or locations for coverage

Categorizing Findings

Consistent finding categorization is critical for meaningful reporting and trend analysis. We recommend three categories:

Major nonconformity. A complete absence of a required control or a systemic failure of an implemented control. Examples:

• No risk assessment has been performed
• Access reviews are defined in policy but have never been conducted
• Incident response procedure does not exist
• Critical security patches have not been applied for more than 90 days across all systems

Minor nonconformity. A partial implementation or isolated failure of a required control. Examples:

• Access reviews are conducted but two of twenty reviews were missed in the last cycle
• Risk assessment exists but does not cover a recently deployed system
• One out of ten sampled users has excessive access privileges
• A single policy document is past its review date

Opportunity for improvement (OFI). A finding that is not a violation of any requirement but represents an area where the ISMS could be strengthened. Examples:

• Incident response testing is conducted annually but would benefit from quarterly tabletop exercises
• Security awareness training covers all required topics but could include more role-specific content
• Documentation is adequate but could be more consistently formatted

Documenting Findings

Each finding should be documented with sufficient detail for the auditee to understand and address it:

• Finding reference number for tracking
• Category (major nonconformity, minor nonconformity, OFI)
• Clause/control reference (which ISO 27001 clause or Annex A control)
• Description of the finding (what was observed)
• Evidence (specific documents, records, or observations that support the finding)
• Requirement (what the standard or internal policy requires)
• Impact (why this matters for the ISMS)

Avoid vague findings. "Access control needs improvement" is not actionable. "Seven of twenty-five sampled user accounts retained access privileges to the production environment after role changes, contrary to A.5.18 (Access rights) which requires access review upon role change" is actionable.

Reporting and Follow-Up

The Internal Audit Report

The audit report is a key input to the management review (Clause 9.3) and must be comprehensive enough to support informed decision-making. A well-structured report includes:

1. Executive summary with overall ISMS health assessment and key statistics
2. Scope and methodology description
3. Summary of findings by category with trend analysis against previous audits
4. Detailed findings with evidence and categorization
5. Positive observations (areas of strong compliance or notable improvement)
6. Recommendations for systemic improvements
7. Appendices with auditor qualifications, checklist results, and evidence references

Root Cause Analysis

For every nonconformity, require a root cause analysis before accepting a corrective action plan. The most common root causes we see in ISO 27001 internal audits:

Root Cause Category	Examples	Typical Corrective Actions
Inadequate procedures	Process not documented or documented process is unclear	Rewrite or create procedure; conduct training
Training gaps	Personnel unaware of requirements or how to follow them	Targeted training; update onboarding materials
Resource constraints	Insufficient time or personnel to perform required activities	Adjust workload allocation; consider automation
Monitoring failure	Control exists but no mechanism to verify ongoing operation	Implement monitoring; add to operational checklist
Change management gap	Change introduced without updating related controls or documentation	Update change management to include ISMS impact assessment

Insist on root cause analysis rather than symptom-level fixes. If three users had excessive access, the corrective action should not be "remove excessive access from three users" -- it should address why the access review process failed to catch the problem.

Corrective Action Management

For each nonconformity, the corrective action process should include:

1. Root cause analysis (documented)
2. Proposed corrective action with responsible party and timeline
3. Acceptance of the corrective action by the audit team (is it likely to address the root cause?)
4. Implementation with evidence of completion
5. Verification of effectiveness after a defined period (typically 30 to 90 days)

Track corrective actions in a centralized system -- whether that is a GRC platform, a ticketing system, or a simple tracker. The critical requirement is that nothing falls through the cracks and that each corrective action is verified for effectiveness, not just completion.

Connecting Internal Audit to Management Review

Clause 9.3 requires management reviews at planned intervals, and internal audit results are a mandatory input. Prepare a management review package that includes:

• Summary of internal audit findings and trends
• Status of corrective actions from current and previous audits
• Performance metrics for the ISMS (incidents, risk levels, compliance scores)
• Recommendations requiring management decision or resource allocation
• Changes in the external or internal context that may affect the ISMS

The management review is where internal audit findings get the resources and executive attention needed to drive real improvement. Without a strong connection between internal audit and management review, findings languish in tracking spreadsheets.

Building Internal Audit Capability Over Time

Training Internal Auditors

If you are using internal staff as auditors, invest in their development:

• ISO 19011 training (guidelines for auditing management systems) provides the foundational audit methodology
• ISO 27001 lead auditor training provides deep understanding of the standard's requirements
• Shadowing experienced auditors during real audits builds practical skills
• Annual refresher training keeps skills current and introduces new techniques

Continuous Improvement of the Audit Program

Apply the same continuous improvement mindset to the audit program itself:

• After each audit cycle, conduct a retrospective: What worked? What did not? What should change?
• Track metrics for the audit program: findings per audit, corrective action closure rates, time from finding to closure
• Solicit feedback from auditees on the audit experience
• Benchmark your program against industry practices

Using Technology Effectively

GRC platforms and compliance automation tools can significantly improve audit efficiency:

• Automated evidence collection reduces the burden on auditees and ensures evidence is current
• Continuous monitoring provides real-time visibility into control effectiveness between formal audits
• Finding and corrective action tracking ensures nothing is missed
• Trend analysis and reporting helps identify systemic issues across audit cycles

However, technology should supplement, not replace, human judgment. The most valuable audit insights come from interviews, observation, and the auditor's ability to connect disparate findings into systemic conclusions.

For more on the costs associated with ISO 27001 certification including audit expenses, see our ISO 27001 certification cost breakdown.

Common Internal Audit Mistakes

Auditing only documentation, not implementation. Verifying that a policy exists is not the same as verifying that it is followed. Always test implementation through interviews, observation, and sampling.

Accepting self-reported evidence uncritically. If someone tells you they conduct weekly access reviews, ask to see the records. Trust but verify.

Failing to follow up on previous findings. An internal audit that identifies the same nonconformity two cycles in a row without escalation is a failed process. Track recurrence and escalate persistent findings.

Treating the internal audit as adversarial. The goal is improvement, not punishment. Auditors who approach the process collaboratively get better information and more useful findings.

Rushing the report. A well-documented audit report is the artifact that demonstrates your internal audit program's value to management and to your certification body. Invest the time to make it clear, complete, and actionable.

Not auditing the management system itself. Many organizations audit the Annex A controls thoroughly but neglect to audit Clauses 4 through 10 -- the management system requirements. Your certification body will audit both, and so should you.

Conclusion

The ISO 27001 internal audit is not merely a compliance requirement -- it is the primary mechanism for ensuring your ISMS delivers real security value. Organizations that invest in a well-planned, risk-based audit program with skilled auditors, evidence-based techniques, and robust follow-up processes consistently outperform those that treat internal audit as a checkbox. The findings from a strong internal audit program drive the corrective actions, resource allocation decisions, and continuous improvement that separate a living ISMS from a paper exercise.