ISO 27001 Internal Audit
What is an ISO 27001 internal audit?
An internal audit is quite simply an opportunity for an organisation to take an ‘inwards look’ to assess...
How can your organisation meet the internal auditing requirement of ISO 27001?
The ISO 27001 Standard requires that internal audits are conducted at planned intervals. On the face of it...
How can an organisation conduct internal audits on an ISMS to comply with ISO 27001?
Your organisation should aim to conduct internal audits on the mandatory clauses of the Standard...
What are the ISO 27001 requirements for an internal audit?
Requirements for conducting internal audits are contained within Clause 9.2 of the Standard. This Clause states...
What is the ISO 27001 internal audit process?
The process of conducting an audit typically involves the ‘check’ element of the Plan-Do-Check-Act...
Does ISO 27001 require internal audits to be conducted?
Yes - Clause 9.2 of the Standard makes this requirement explicit. Remember, you must...
With ISO 27001, what do you audit against?
Organisations are required to conduct audits to provide evidence of conformance to:...
Who can perform an internal audit for ISO 27001?
The value that an internal audit brings to your organisation will be influenced significantly by...
Does an internal audit need to be conducted by someone internal to your organisation?
No, internal audits can be conducted by third parties, such as URM...
What are the pros and cons of using a third-party organisation?
Pros include impartiality, knowledge of the Standard and expectations of certification body...
How do you conduct an internal ISO 27001 audit?
The responsibility to conduct an audit will typically be delegated by a member of the organisational...
How do you develop an internal audit checklist for ISO 27001?
Internal audit checklists are sourced directly from the audit criteria. The Standard, or the ISMS will...
Are standards on internal audit mandatory?
The International Organization for Standardization (ISO) has produced a specific...
What standards do internal auditors use?
Whilst ISO 19011 is not mandatory, it is recommended that auditors align to this guidance...
What are some of the traits or characteristics of an effective auditor?
Here are some valuable traits and characteristics of an effective auditor...
Who are the typical auditees in an ISO 27001 internal audit?
During an internal audit, an auditor will need to speak to people at different levels and authorities...
How do you prepare for an ISO internal audit?
In order to prepare for an audit, the following steps should be taken...
What are the pitfalls to avoid in conducting ISO 27001 audits?
Some pitfalls to avoid when organising and conducting an ISO 27001 audit include...
What are the different levels of findings/nonconformities?
There are 3 levels of findings which may result from an audit...
What is the difference between a minor and major nonconformity?
A minor nonconformity is a single or non-critical failure of the ISMS, whereas a major nonconformity is...
How do you ensure consistency in internal auditing?
To maintain consistency in internal auditing, organisations should implement an internal audit process...
Never miss a thing
Stay in the loop
Please provide your contact details and we will email you with any future changes to ISO 27001 (and the implications!).
URM is one of the UK's most trusted training providers in the areas of information security and governance. Check our training program.
Find out more
related BLog
ISO 27001:2022 - A.5 Organisational Controls (Business Continuity)
Published on
18 Jul
2025
URM’s blog explores the ISO 27001 business continuity controls, why they matter, & how they can be effectively implemented to ensure conformance to the Standard
Read more
Information Security
published on
10/7/2025
ISO 27001:2022 - A.5 Organisational Controls (Incident Management)URM’s blog breaks down the six incident management-related controls in Annex A of ISO 27001, providing key guidance on how to implement each control.
Read more
Information Security
published on
10/7/2025
ISO 27001:2022 - A.5 Organisational Controls (Legal, Regulatory and Contractual)URM’s blog explains the legal, regulatory & contractual controls in ISO 27001 & how they can be implemented in full conformance with the Standard.
Read more
Information Security
published on
27/6/2025
ISO 27001:2022 - A.5 Organisational Controls (Supplier Management)URM’s blog explains the importance of the 5 supplier management controls in ISO 27001 & provides practical guidance on how to implement each control.
Read more
"
The partnership approach URM takes is genuine. Our relationship with URM is not hard-nosed or overly commercialised, and feels much closer to a partnership arrangement than any other security consultancy providers we have worked with. If we had a new piece of work that we needed external help with, URM would be our first port of call for assistance.
CISO at University of Surrey
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.