How to Conduct an ISO/IEC 27001 Internal Audit?

Introduction

An internal audit shows whether your ISMS works in real life. It tells you what is in control, what drifts, and what to fix before the certification audit. Done well, it is a short, focused check that builds trust across teams.

Why the internal audit matters?

It gives leadership facts not guesses. It tests controls where risk is highest. It keeps the Statement of Applicability honest and the risk register alive. It also proves that you check your own work, not just write policies.

What to have on hand?

ISMS scope, policy, risk assessment, risk treatment plan, Statement of Applicability, asset list, data flows, procedures, training logs, access reviews, change records, backup and restore proof, incident tickets, supplier due diligence, business continuity tests, internal metrics, last audit report and action status.

Step by step

  1. Plan a risk-based program
    Map high risk areas first. Identity and access, change, incident response, supplier control, backups, and logging often carry the most weight.

  2. Prepare your checklist
    Tie each question to a clause or an Annex A control from the 2022 edition. Keep questions short. Ask for evidence, not opinions.

  3. Hold a brief opening
    Confirm scope, timing, rules, and how findings will be graded. Set a friendly tone. You are there to learn, not to police.

  4. Collect evidence
    Sample records. Look at dates, owners, approvals, and completeness. Follow a real ticket from start to finish so the chain is clear.

  5. Interview and observe
    Speak with people who do the work. Watch how they handle access, changes, incidents, or supplier onboarding. Check that what is done matches what is written.

  6. Test key controls

  • Access: sample joiners, movers, leavers, admin rights, MFA, reviews

  • Changes: approvals, testing, separation of duties, emergency changes

  • Logging: what is logged, retention, alerting, who reviews it

  • Backups: frequency, scope, off-site copy, test restores

  • Incidents: detection, triage, lessons learned, action follow up

  • Crypto: key management, storage, rotation, revocation

  • Supplier: due diligence, contracts, SLAs, reports, exit plans

  • Continuity: RTOs and RPOs, test evidence, lessons applied

  1. Evaluate against criteria
    Mark conformities, observations, and nonconformities with clear evidence and clause references. No vague wording.

  2. Close with owners
    Share what you saw, agree facts, and outline next steps and dates.

  3. Report
    Write a short report. Scope, team, dates, samples taken, findings with evidence, and a summary view of ISMS health.

How Pacific Certifications can help?

We provide accredited ISO/IEC 27001 certification audits. If you need an independent internal audit, use trained internal staff or an external provider separate from your certification body. When you are ready for Stage 1 and Stage 2, we audit with a focus on real practice and clean proof.

Read more: How to Conduct an ISO 27001 Internal Audit

Comments

Post a Comment

Popular posts from this blog

How to Identify and Address ISO 9001 Non-Conformities

In the world of quality management, adherence to ISO 9001 standards is a critical aspect for businesses striving for excellence. ISO 9001:2015 sets out the criteria for a quality management system and is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach, and continual improvement. However, despite the best efforts, organizations may sometimes face non-conformities with these standards. Identifying and addressing these non-conformities is essential for maintaining the integrity of the quality management system and ensuring continuous improvement. In this blog, we will explore how organizations can effectively identify and address ISO 9001 non-conformities. Read more : How to Identify and Address ISO 9001 Non-Conformities
Read more

ISO 14641:2018

Image
  What is the ISO 80079-36:2016? The ISO 80079-36:2016 certification is an important standard for businesses that work with explosive atmospheres. It sets out the requirements for the design, manufacture, and installation of equipment used in potentially explosive atmospheres. Companies that comply with this standard can demonstrate to customers and regulatory authorities that they have taken all necessary steps to ensure the safety of their products and operations. By obtaining ISO 80079-36:2016 certification, businesses can show their commitment to safety and quality while gaining a competitive edge in the industry. What are the requirements of ISO 80079-36:2016? ISO 80079-36:2016 defines the requirements for equipment used in explosive atmospheres. It is a certification process that ensures the safety of equipment. Which must meet certain standards before being approved for use in hazardous environments. This standard applies to all types of industrial and c...
Read more

ISO certifications in East Germany (German Democratic Republic) and how Pacific Certifications can help

Image
  The German Democratic Republic (GDR), commonly known as East Germany, existed from 1949 until German reunification in 1990. During its existence, East Germany had its own standards organization, the Amt für Standardisierung, Messwesen und Warenprüfung (ASMW), which was responsible for setting national standards. While the ISO (International Organization for Standardization) develops and publishes international standards, individual countries choose how and whether to adopt these standards within their national framework. Since East Germany was a separate entity until 1990, it has interacted with ISO standards differently compared to how modern Germany does today. Post-reunification, Germany has fully integrated into the international standards system, with the Deutsches Institut für Normung (DIN) being the primary national standards body in Germany. DIN is a member of ISO and plays a significant role in the development and adoption of ISO standards within Germany. ISO Standards a...
Read more