Many organizations treat their ISO 27001 internal audit as a mere formality – just a box to tick before the external auditor comes. Needless to say, this is the reason so many fail their Stage 2 certification. An internal audit done right operates as a mock trial, stress-testing your Information Security Management System before someone else does it for you.
Why Your Internal Audit Team Isn’t Just An IT Problem
The first mistake is staffing the audit team entirely from the IT department. ISO/IEC 27001:2022 covers far more than network security. The updated standard organizes controls across four categories: Organizational, People, Physical, and Technological. That scope touches HR onboarding procedures, physical access to server rooms, legal contract requirements, and supplier management – none of which IT staff are best positioned to audit objectively.
An effective team pulls in cross-functional representation. An HR manager can assess whether access provisioning and offboarding procedures are actually followed. Someone from legal or compliance can evaluate whether contractual security obligations are being tracked. An operations lead can walk a physical site audit without defaulting to IT assumptions. The goal is coverage across all 93 Annex A controls, not just the ones that live on a network diagram.
The Impartiality Requirement Isn’t Optional
Clause 9.2 of the standard is clear: auditors can’t audit anything they’ve had a direct hand in. Sounds simple enough. Yet common sense falls apart in practice, particularly in smaller organizations where it’s common for one person to oversee both a control and the unit responsible for assessing it.
Rotate the domains on your audit calendar. Put an IT pro in charge of auditing HR’s onboarding and offboarding parameters. Put an HR officer in charge of assessing whether IT’s access control measures jibe with the necessary guidelines outlined in your ISMS. Appoint the facilities manager to determine whether or not IT’s physical security controls in the data room suffice per what’s written. The point is to put as much daylight between the auditor and the process being audited as possible.
If you can’t manage that – because you’re too small, your staff is over-extended, or you lack the necessary audit expertise altogether – that’s a legitimate block, not a dodge. More than 50% of organizations say that a lack of in-house skills and time is the #1 roadblock they face while pursuing ISO 27001 certification (IT Governance ISO 27001 Global Report). If that’s your case, partnering with an iso 27001 consultant to co-source your internal audits, facilitate staff training, or perform a gap analysis in advance of your formal Stage 1 audit is a practical, sensible move – not a shortcut.
Building A Usable Audit Checklist From Annex A
Do not give your auditors the standard and tell them to audit against it verbatim. The controls must be transformed into auditable, specific questions before the auditing work begins.
Control 5.15 is an access control policy. A verbatim reading cannot be audited. An auditable question is, “Can the organization provide evidence that access rights are reviewed at least annually, with documented approval and a log of changes made?” That is something that an auditor can verify with a file, a policy, or an interview.
Develop a master checklist that links each applicable Annex A control to a specific evidence request. The evidence type is also important – physical records, system-generated logs, signed approvals, and interview notes all qualify as evidence under the evidence-based auditing approach. Just having someone tell you that it is managed will not qualify.
Categorizing Findings So Remediation Actually Happens
Not all findings are considered equally important, and the internal audit team must have a standard method for categorizing them. Here’s the typical framework.
A Major Non-Conformity means a required control is missing, totally ineffective, or implemented so badly it’s indicative of a larger problem. These will block a certification audit. A Minor Non-Conformity means the control is there but has gaps – it’s not consistently applied, not fully documented, or starting to fail. An Opportunity for Improvement (OFI) is an observation where nothing is technically wrong, but the organization could do better to reduce risk or strengthen the control.
This categorization determines how the organization prioritizes its Corrective Action Plans before the external Stage 2 audit. Major findings need immediate ownership, root cause documentation, and verified remediation. Minor findings need tracked action items with deadlines. OFIs can sit in the backlog for the next audit cycle.
Connecting Findings To The Management Review
Audit findings are meaningless if they are kept hidden in a spreadsheet. A formal Management Review is mandated by Clause 9.3, during which the results of the internal audit are supposed to be presented to executive leadership. These people are not going to be the ones reading your Annex A checklist. They are making budget decisions.
So, before the meeting ever happens, you must translate all of the technical findings into business risk language. A finding about inadequate logging retention isn’t, “control 8.15 isn’t meeting the 12-month retention requirement.” It’s “we have a gap that would prevent us from detecting or investigating a breach that occurred more than 90 days ago.” That framing gets budget approved for remediation.
Keeping The Team Competent After Certification
Getting certified once doesn’t mean your internal audit team is set for good. The controls they’re checking change over time, the threats they need to watch for shift too, and sooner or later the standards themselves get revised. That’s just the nature of it.
The fix is straightforward: build a simple ongoing training rhythm. Quarterly check-ins on emerging threats and weak spots, a yearly refresher when controls get updated, and a short retrospective after each audit where you ask the team what they missed and why.
Your internal auditors are effectively your early warning system for ISMS drift. Treat them that way – pick the right people, give the role real teeth, and make sure they’re actually catching problems rather than just signing off on whatever’s put in front of them.
