ISO 27001 & ISO 22301 Blog

How to prepare for an ISO 27001 internal audit

Many people simply rush in to prepare a checklist and perform the ISO 27001 internal audit – the sooner this “needless” job is done, the better. But, such a rush will only create problems, and make the internal audit longer than necessary.

So, let’s see what you have to prepare to make this job more efficient. And, is this job really such a waste of time?

What kind of internal auditor should you employ?

There are a few ways to perform an internal audit:

  1. Employ a full-time internal auditor. This is suitable only for larger organizations who would have enough work for such a person (some types of organizations – e.g., banks – are obliged by law to have such functions).
  2. Employ part-time internal auditors. This is the most common situation – the organizations use their own employees to perform internal audits, who do so when required (e.g., a couple of times a year) alongside their regular work. One important thing to pay attention to: in order to avoid any conflict of interest (auditors cannot audit their own work), there should be at least two internal auditors so that one could audit the regular job of the other. See also: Qualifications for an ISO 27001 Internal Auditor.
  3. Employ an internal auditor from outside of the organization. Although this is not a person employed in the organization, it is still considered an internal audit because the audit is performed by the organization itself, according to its own rules. Usually, this is done by a person who is knowledgeable in this field (independent consultant or similar). See also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.

Options to consider

Depending on whether you have already implemented ISO 9001 (or some other ISO management standard), and which profile of internal auditor you have, you have some options listed below. You should also study the legislation, because some industries (e.g., financial) have special rules regarding internal audits.

  • Perform one audit or a series of audits throughout the year. If you are a small company, a single audit during the one-year period will be enough; however, if you are a large company, you might want to plan to perform an audit in one department in January, in another department in February, etc.
  • Use the same rules and auditor for other standards as well. If you already implemented ISO 9001, you can actually use the same internal audit procedure – you don’t need to create a new document just for ISO 27001. Further, the same auditor can perform internal audits for all those systems at the same time – if such person has knowledge of all these standards, and has average knowledge about IT, he or she will be perfectly capable of doing a so-called integrated internal audit, thereby saving time for everyone.
  • Write an internal audit procedure and a checklist, or not. A written procedure that would define how the internal audit is performed is not mandatory; however, it is certainly recommended. Normally, the employees are not very familiar with internal audits, so it is a good thing to have some basic rules written down – unless, of course, auditing is something you do on a daily basis. It’s the same with the internal audit checklist – it is not mandatory, but is certainly useful for beginners. See also: How to make an Internal Audit checklist for ISO 27001 / ISO 22301.

Required documentation

You should have the following documents regarding your internal audit:

  • Internal audit procedure (not mandatory) – this procedure defines the basic rules for performing the audit: how to select the auditors, how the audits are planned, the elements of conducting the audit, the follow-up activities, and how to report from the audits.
  • Internal audit program (mandatory) – this is where audits are planned at the annual level, including their criteria and scope.
  • Internal audit checklist (not mandatory) – this is a checklist that helps the internal auditor not to forget something during the internal audit.
  • Internal audit report (mandatory) – this is where the internal auditor will report on the nonconformities and other findings.

The role of top management

Top management must also get involved in internal audits – from approving the procedure and appointing the internal auditor, to accepting the audit program and reading the internal audit report. These activities should not be delegated to lower levels in the hierarchy, because this could bring the internal auditor into a conflict of interest, and besides, some important information might not find its way to the top.

And, most important of all, top management should make a conscious decision that they will accept and support the internal audit as something that is useful for the business.

The purpose of the internal audit

At first sight, the internal audit probably looks like an overhead expense. However, internal audits can enable you to discover problems (i.e., nonconformities) that would otherwise stay hidden and would therefore harm your business. Let’s be realistic – it is human nature to make mistakes, so it’s impossible to have a system with no mistakes; it is, however, possible to have a system that improves itself and learns from its mistakes.


Internal audits are a crucial part of such a system – they will be the one to tell you if your system really works or not.

This article is an excerpt from the book  Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own. Click here to see what other topics are covered…

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity/information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients.

As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.
Connect with Dejan: