How to Run an ISO 27001 Internal Audit (Without Hiring a Consultant)

Clause 9.2 of ISO 27001 requires your organisation to conduct internal audits at planned intervals. These audits must cover the entire ISMS — not just the areas you feel confident about. The internal audit is the mechanism by which your organisation checks whether its own ISMS is operating as intended, independent of the management team responsible for running it. It is mandatory, and there is no alternative route to compliance.

Internal Audit vs External Audit: Understanding the Difference

The internal audit is conducted by your own organisation, using internal or contracted resources. Its purpose is self-assessment and improvement. The external audit, conducted by your certification body, is the independent third-party verification that results in (or maintains) your certificate. The two are distinct but related: your internal audit findings and corrective actions are evidence that the certification body auditor will review during Stage 2 and surveillance audits. A credible internal audit programme strengthens your external audit position significantly.

The most important requirement for the internal auditor is independence from the area being audited. You cannot audit your own work. In a small organisation, this might mean the ISMS Manager audits the IT team's controls while the IT lead reviews the HR and administrative controls. What is not acceptable is one person conducting their own work audit with no peer review.

Step 1: Build an Audit Programme

An audit programme is the plan for how you will cover all areas of your ISMS across the audit cycle. The cycle is typically annual. You document which areas will be audited, when, by whom, and using what criteria. This does not need to be elaborate — a one-page document covering the audit schedule is sufficient for most organisations.

When planning what to cover, structure your programme around:

• All ISO 27001 clauses (4 through 10) — every clause must be audited at least once in the cycle
• Applicable Annex A controls from your Statement of Applicability
• Areas where nonconformities or observations were raised in the previous cycle
• Areas of significant change since the last audit — new systems, new suppliers, new processes
• High-risk areas identified in the risk register

Step 2: Prepare Audit Checklists

For each area of the ISMS you plan to audit, prepare a checklist of what you will check and what evidence you will look for. This prevents the audit from being a conversation about whether things are theoretically in place and ensures it is grounded in actual evidence.

Example checklist items for access control (A.8.3):

• Review the user access list for key systems — are there any accounts for former employees?
• Check that privileged access is limited to staff with a documented business need
• Review the last access review date — has it been conducted within the required period?
• Sample 3-5 user accounts and confirm access levels match their job roles
• Check that joiners and leavers have been processed within the timescales defined in the access control policy

Step 3: Conduct the Audit

The audit itself consists of document review, evidence review, and interviews. For a small organisation, a single day of structured review is often enough to cover the core ISMS areas. Larger or more complex scopes may require two to three days.

During the audit, collect evidence systematically. Screenshots of system configurations, signed policy acknowledgement logs, training completion records, and incident log extracts all serve as evidence. Record exactly what you checked, what you found, and where the evidence is stored. This documentation is what your external auditor will review — it needs to be clear enough that someone who was not present can understand what was audited and what the finding was.

Step 4: Write the Audit Report

The audit report must document what was audited, who conducted the audit, the audit dates, the criteria used, and the findings. Findings fall into three categories: conformities (things that are working as required), observations (areas for improvement that do not constitute a nonconformity), and nonconformities (requirements of the standard or your own policies that are not being met).

Keep the report factual and evidence-referenced. Avoid subjective language. "Policy document had not been reviewed since March 2023, against a stated annual review requirement" is a clear nonconformity finding. "The team seemed uncertain about the policy" is not.

Step 5: Issue and Close Corrective Actions

For each nonconformity, raise a corrective action that identifies: the root cause of the nonconformity, the action required to fix it, who is responsible for the action, and the target completion date. The corrective action must then be verified closed — someone needs to confirm that the action was taken and the nonconformity resolved before the corrective action can be marked complete.

Open corrective actions from a previous internal audit cycle that have not been closed are a significant finding in external audits. Maintain a corrective action log and review it as part of your management review process.

Common Internal Audit Mistakes

• Conducting the audit too close to the external audit date — insufficient time to close corrective actions
• Auditing only the areas the ISMS manager is confident about and avoiding the gaps
• Not documenting evidence — the audit has no value without a paper trail
• Treating nonconformities as failures rather than learning opportunities
• Auditing every year but never actually closing corrective actions from previous cycles
• Having the ISMS manager audit their own work without peer involvement

Our internal audit template pack includes the audit programme template, clause-by-clause checklists, the audit report template, and a corrective action log — everything you need to run a credible internal audit without starting from scratch.