Audits & Certification

ISO 27001 Internal Audit — Planning and Executing Properly

Alex Fuerst

Alex Fuerst

6 min read
ISO 27001 Internal Audit — Planning and Executing Properly

The Reality Check Your ISMS Actually Needs

Internal audits are where most organizations either build genuine security maturity or engage in elaborate self-deception. I've reviewed hundreds of internal audit programs over the years, and the pattern is depressingly consistent: organizations treat internal audits as a checkbox exercise, then act surprised when their certification auditor finds systemic failures they somehow missed.

Let me be direct: if your internal audit program isn't finding nonconformities, it's broken. Not because your ISMS is perfect—it isn't—but because your audit program lacks the independence, competence, or courage to identify real problems. A well-planned and properly executed internal audit is your organization's most powerful tool for continuous improvement and risk identification.

What Clause 9.2 Actually Demands

Clause 9.2 of ISO 27001 mandates internal audits at "planned intervals," but most organizations interpret this as "once a year, right before our surveillance audit." This misses the entire point. The standard requires that audit criteria, scope, frequency, methods, and responsibilities are defined and managed within a documented program.

The frequency should be risk-based, not calendar-based. Your incident management processes (Control 5.24) might need quarterly attention if you've had recent security events. Your access control implementation (Controls 5.15 through 5.18) requires frequent review if you have high staff turnover. Meanwhile, stable processes like your information security policy framework (Control 5.1) might genuinely only need annual review.

The objectivity requirement in Clause 9.2.2 is where smaller organizations consistently stumble. You cannot audit your own work. I've seen IT managers "audit" the access control processes they designed and operate daily. The resulting reports are predictably glowing and utterly worthless. If you lack internal resources to maintain separation, consider audit exchanges with peer organizations, or rotating responsibilities across departments with appropriate training.

Building an Audit Program That Finds Real Issues

An effective audit program isn't a calendar with "ISO audit" written on random dates. It's a strategic plan ensuring comprehensive ISMS coverage while directing resources toward areas of greatest risk. Your program should document:

  • Complete cycle coverage: Every clause from 4 through 10 and every applicable Annex A control mapped to specific audit activities over a defined period (typically 1-3 years)
  • Risk-based frequency: How you determine which processes need more frequent attention based on previous findings, incidents, changes, or inherent risk
  • Auditor competence requirements: Specific skills needed for technical controls like cryptography (Control 8.24) versus organizational controls like supplier management (Controls 5.19-5.23)
  • Integration with other assurance activities: How internal audits coordinate with vulnerability assessments, penetration testing, and management reviews

I worked with a financial services firm certified for five years that had systematically avoided auditing their supplier management processes. During recertification, we discovered 47 suppliers with customer data access, zero security assessments, and contracts unchanged since initial certification. Their audit program had become risk avoidance, not risk management.

Cross-reference your audit planning with related standards. If you process personal data, ensure your audit covers ISO 27018 requirements. For cloud services, incorporate ISO 27017 considerations. Organizations using AI systems should consider emerging requirements that will inevitably be audited.

Audit Planning: The Work Before the Work

Individual audit planning determines whether your audit generates actionable findings or generic observations. Before conducting any audit, you need absolute clarity on scope, criteria, and methodology.

Scope definition must be specific enough to be meaningful. "Audit access control" isn't scope—it's a topic. A proper scope might be: "Evaluate effectiveness of user access provisioning and deprovisioning for the CRM system, including compliance with Controls 5.15, 5.16, and 5.18, covering the period January-March 2024."

Audit criteria must be explicit and measurable. Don't audit against vague policy statements. Use specific control implementation guidance from ISO 27002:2022, your own documented procedures, and measurable security objectives. For technical controls, reference specific configuration standards or benchmarks.

Methodology selection should match the control being audited. Document reviews work for policies and procedures, but Controls 8.9 (configuration management) and 8.12 (data leakage prevention) require technical testing. Personnel security controls (Controls 6.1-6.8) need interview techniques and sample verification.

Execution: Where Theory Meets Reality

During audit execution, your approach should vary based on the control category. For organizational controls, focus on evidence of implementation and effectiveness. For technical controls, you need both design evaluation and operational testing.

When auditing Control 8.8 (management of privileged access rights), don't just verify that procedures exist. Sample actual privileged accounts, check recent access reviews, verify logging configurations, and test approval processes. Use the technical assessment guidance from ISO 27008 to structure your testing approach.

Sampling strategies should be risk-informed. For high-risk processes, use smaller confidence intervals. For routine operational controls, representative sampling may suffice. Document your sampling rationale—external auditors will ask.

Don't fall into the "interview trap" where audits become friendly conversations. Prepare structured questions, request specific evidence, and verify claims through independent sources. If someone claims backups are tested monthly (Control 8.13), ask to see the last three test reports and evidence of any issues identified and resolved.

What the Auditor Looks For

Having conducted external audits across hundreds of organizations, here's what certification auditors specifically examine in internal audit programs:

  • Audit program documentation: Evidence that you've planned comprehensive coverage over a defined cycle
  • Auditor competence records: Training records, qualifications, and evidence of technical competence for specialized controls
  • Independence evidence: How you ensure auditors don't audit their own work, including rotation schedules or external resources
  • Nonconformity identification: Actual nonconformities found and documented—programs that never find issues are immediately suspect
  • Follow-up evidence: How nonconformities are tracked, corrected, and verified as effectively addressed
  • Management review integration: Evidence that audit results inform management decisions and continual improvement

External auditors pay particular attention to how you audit technical controls. If your internal audits of Controls 8.9 (configuration management) or 8.24 (cryptography) consist only of document reviews, expect detailed questioning about your technical assessment capabilities.

Common Failures and How to Avoid Them

The most common failure is treating internal audits as documentation reviews. I regularly see organizations that have never actually tested whether their incident response procedures work, whether backup restoration succeeds, or whether access controls can be bypassed.

The "friendly audit" syndrome occurs when internal auditors become consultants rather than evaluators. Your role is to provide independent assurance, not to help auditees fix problems during the audit. Document what you find, not what could be if people tried harder.

Technical incompetence in audit teams leads to superficial assessments of critical controls. Controls 8.9 (configuration management), 8.24 (cryptography), and 8.28 (secure coding) require technical knowledge. Don't assign these to auditors who can't distinguish between encryption and hashing.

Scope creep during execution dilutes audit effectiveness. If you discover issues outside your planned scope, document them separately and consider them for future audit planning, but maintain focus on your defined objectives.

Making Internal Audits Drive Real Improvement

Effective internal audits should challenge your organization's security assumptions. Test whether your security awareness training actually changes behavior. Verify that your supplier security assessments identify real risks. Confirm that your incident response capabilities match your documented procedures.

Link your internal audit findings to your risk treatment plans and security objectives. If Control 5.23 (information security for use of cloud services) implementation is weak, how does this impact your risk assessment conclusions? This connection transforms audits from compliance exercises into risk management tools.

Consider the broader ISO 27000 family in your audit approach. Organizations subject to GDPR should ensure their internal audits cover ISO 27018 privacy controls. Those using cloud services extensively need ISO 27017 considerations. Supply chain security audits should reference ISO 27036 guidance.

Schedule your internal audits to provide meaningful input to management review (Clause 9.3). Audit results should inform decisions about resource allocation, risk tolerance, and strategic security direction. If your audit findings don't influence these decisions, question whether you're auditing the right things.

Expert Tip: Develop audit checklists that go beyond compliance verification. Include questions about control effectiveness, efficiency, and alignment with business objectives. "Does this control actually reduce the identified risk?" is often more valuable than "Does this control exist?"

Remember that internal audits are preparation for external assessment, but their primary value is organizational learning. A robust internal audit program should make your certification audits feel like validation rather than examination—because you already know where your weaknesses are and what you're doing about them.

Ready to transform your internal audit program from compliance theater into a genuine risk management tool? Connect with experienced practitioners at our ISO 27001 Info Hub for practical guidance on audit planning, execution, and improvement, or reach out for specialized consultation on building audit competence in your organization.

Need personalized guidance? Reach our team at ix@isegrim-x.com.

Related Articles

Read more

ISO 27001 and Zero Trust Architecture — Modern Security Meets Compliance

ISO 27001 and Zero Trust Architecture — Modern Security Meets Compliance

Executive Summary: * Architecture-Documentation Alignment: Zero Trust implementations fail audit when security architecture shifts to identity-centric models but ISMS documentation still describes perimeter-based controls * Multi-Framework Convergence: Zero Trust principles naturally align with ISO 27001's risk-based approach and map directly to NIST CSF, CMMC, and TISAX requirements—creating implementation synergies