ISO 27001 Internal Audit

Frequently Asked Questions

What is an ISO 27001 internal audit?

An internal audit is quite simply an opportunity for an organisation to take an ‘inwards look’ to assess...

Read more

How can your organisation meet the internal auditing requirement of ISO 27001?

The ISO 27001 Standard requires that internal audits are conducted at planned intervals.  On the face of it...

Read more

How can an organisation conduct internal audits on an ISMS to comply with ISO 27001?

Your organisation should aim to conduct internal audits on the mandatory clauses of the Standard...

Read more

What are the ISO 27001 requirements for an internal audit?

Requirements for conducting internal audits are contained within Clause 9.2 of the Standard.  This Clause states...

Read more

What is the ISO 27001 internal audit process?

The process of conducting an audit typically involves the ‘check’ element of the Plan-Do-Check-Act...

Read more

Does ISO 27001 require internal audits to be conducted?

Yes - Clause 9.2 of the Standard makes this requirement explicit.  Remember, you must...

Read more

With ISO 27001, what do you audit against?

Organisations are required to conduct audits to provide evidence of conformance to:...

Read more

Who can perform an internal audit for ISO 27001?

The value that an internal audit brings to your organisation will be influenced significantly by...

Read more

Does an internal audit need to be conducted by someone internal to your organisation?

No, internal audits can be conducted by third parties, such as URM...

Read more

What are the pros and cons of using a third-party organisation?

Pros include impartiality, knowledge of the Standard and expectations of certification body...

Read more

How do you conduct an internal ISO 27001 audit?

The responsibility to conduct an audit will typically be delegated by a member of the organisational...

Read more

How do you develop an internal audit checklist for ISO 27001?

Internal audit checklists are sourced directly from the audit criteria.  The Standard, or the ISMS will...

Read more

Are standards on internal audit mandatory?

The International Organization for Standardization (ISO) has produced a specific...

Read more

What standards do internal auditors use?

Whilst ISO 19011 is not mandatory, it is recommended that auditors align to this guidance...

Read more

What are some of the traits or characteristics of an effective auditor?

Here are some valuable traits and characteristics of an effective auditor...

Read more

Who are the typical auditees in an ISO 27001 internal audit?

During an internal audit, an auditor will need to speak to people at different levels and authorities...

Read more

What are the different types of ISO 27001 audits?

There are 3 types of ISO 27001 audits:...

Read more

How do you prepare for an ISO internal audit?

In order to prepare for an audit, the following steps should be taken...

Read more

What are the pitfalls to avoid in conducting ISO 27001 audits?

Some pitfalls to avoid when organising and conducting an ISO 27001 audit include...

Read more

What are the different levels of findings/nonconformities?

There are 3 levels of findings which may result from an audit...

Read more

What is the difference between a minor and major nonconformity?

A minor nonconformity is a single or non-critical failure of the ISMS, whereas a major nonconformity is...

Read more

How do you ensure consistency in internal auditing?

To maintain consistency in internal auditing, organisations should implement an internal audit process...

Read more

Stay in the loop

Please provide your contact details and we will email you with any future changes to ISO 27001 (and the implications!).

ISO 27001:2022 - A.5 Organisational Controls (Incident Management)

Published on
10 Jul
2025

URM’s blog breaks down the six incident management-related controls in Annex A of ISO 27001, providing key guidance on how to implement each control.

Read more
Thumbnail of the Blog Illustration
Information Security
published on
10/7/2025
ISO 27001:2022 - A.5 Organisational Controls (Legal, Regulatory and Contractual)

URM’s blog explains the legal, regulatory & contractual controls in ISO 27001 & how they can be implemented in full conformance with the Standard.

Read more
Thumbnail of the Blog Illustration
Information Security
published on
27/6/2025
ISO 27001:2022 - A.5 Organisational Controls (Supplier Management)

URM’s blog explains the importance of the 5 supplier management controls in ISO 27001 & provides practical guidance on how to implement each control.

Read more
Thumbnail of the Blog Illustration
Information Security
published on
27/6/2025
ISO 27001:2022 - A.5 Organisational Controls (Access Management)

URM’s blog explores why the access controls in ISO 27001 matter, and how to implement each control in full conformance with both the Standard and best practice.

Read more
"
From beginning to end URM made achieving PCI compliance incredibly easy & worked with us to educate us on the requirements. They were always available for a call whenever we needed to discuss queries along the way & were always flexible to our internal deadlines. We would highly recommend URM from a consultancy & auditing perspective.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.