←Go back

ISO/IEC 27001:2022 Internal Audit

What is an Internal Audit according to ISO/IEC 27001:2022?

An internal audit is a key requirement of ISO/IEC 27001:2022 and serves to validate that your Information Security Management System (ISMS) is effectively implemented and ready for the external certification audit. It is an independent assessment initiated by your organization to identify gaps, nonconformities, and opportunities for improvement—before a certification body does.

The requirement to carry out an Internal Audit is mandated by the Section 9.2.1 of the ISO/IEC 27001:2022 standard:

Additionally, Section 9.2.2 of the standard requires establishing an Internal Audit Programme that defines the scope and criteria for the audit, ensures the selection of an independent auditor, and mandates that audit results are reported to the relevant management stakeholders.

Why Use an External Expert for the Internal Audit?

Despite the term "internal", ISO 27001 does not mean that the auditor must be an employee. Using an independent external expert often provides better objectivity, deeper insight, and helps avoid conflicts of interest. It also ensures that your internal audit meets the competence and impartiality criteria required by the standard.

When to carry out the internal audit?

An internal audit should be carried out when your organization believes that the ISMS is fully implemented and operating effectively—which means, once all mandatory policies, controls, records and processes are in place. To ensure there is enough time to address any nonconformities or improvement opportunities, it is recommended conducting the internal audit at least four weeks before your scheduled external certification audit. This buffer allows sufficient time for corrective actions and re-validation if needed, increasing your chances of a successful certification outcome.

How Is the Audit Carried Out?

Our internal audits are pragmatic and efficient:

• Kick-off Meeting: It begins with a discussion to understand your organization, define the scope of the audit, and clarify modalities.
• Documentation Review: Then a review of your ISMS-related documents and records offline will follow to identify initial findings and focus areas.
• Audit Interviews: In remote and/or on-site sessions with key security stakeholders of your company, I verify the actual implementation of your ISMS controls and processes.
• Reporting: You will receive a structured audit report shortly after the audit sessions, with findings mapped to requirements and controls of the standard, risk-based priorities, and actionable recommendations.

What is the result of the Internal Audit?

The primary outcome of the internal audit is the Internal Audit Report. This report provides a structured protocol of all audited requirements and controls based on ISO/IEC 27001:2022, documenting which areas were assessed, how they were evaluated, and the results. It may include findings, such as nonconformities, observations, or opportunities for improvement. Nonconformities (if any were found) must be typically addressed before the external audit. Recommendations can be addressed according to priorities set by the company before or after the audit. The Internal Audit Report is typically shared with the external auditor as part of the audit preparation, demonstrating that the organization has fulfilled the internal audit requirement and proactively evaluated its ISMS for compliance and effectiveness.

Why Choose Compliance Made Simple?

I am a certified ISO/IEC 27001:2022 internal auditor with many years of hands-on experience in designing, implementing, and auditing ISMS in a wide range of organizations. I have a deep understanding of the standard and practical audit experience and assure that you receive a thorough, value-adding internal audit that helps you succeed in your certification journey.

Contact

DM me on if you have any questions or are interested in having me carry out an internal audit for your organization.

ILYA VASILENKO