RRAudit Services

ISO 27001 Internal Audits

Information Security Management Systems

What is ISO 27001?

ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information, ensuring it remains secure through people, processes, and technology controls.

Whether you're pursuing ISO 27001 certification for the first time or maintaining compliance through surveillance audits, our internal audits identify gaps before your certification body does.

What We Audit

Our ISO 27001 audits cover the full standard — ISMS requirements (Clauses 4–10) plus all 93 Annex A controls across four categories.

  • 1Clauses 4–10: ISMS core requirements including context, leadership, planning, support, operation, performance evaluation, and improvement
  • 2Organizational controls (37): Policies, roles, asset management, access control, supplier relationships, incident management
  • 3People controls (8): Screening, awareness, training, disciplinary process, remote working
  • 4Physical controls (14): Security perimeters, entry controls, equipment protection, secure disposal
  • 5Technological controls (34): Endpoint security, access rights, cryptography, logging, network security, secure development
  • 6GRC platform support: We can work within Vanta, Drata, or Sprinto if your organization uses one for evidence management

Our Process

Typical engagement: 2 weeks (small org) to 6–12 weeks (medium org)

01

Inquiry & Scoping

We start with a discovery call to understand your organization, ISMS maturity, and audit objectives. This results in a clear scope agreement and engagement letter.

02

Audit Planning

We define audit objectives, criteria, and a schedule. You receive a document request list so your team can prepare ISMS documentation and evidence ahead of fieldwork.

03

Document Review

We review your ISMS documentation, policies, Statement of Applicability, and risk register against ISO 27001 requirements. We identify areas to investigate during fieldwork and prepare annotated working papers.

04

Fieldwork

The core of the audit: we conduct interviews with your team, review documents and records, observe processes, and gather evidence to assess conformity against all applicable Annex A controls and ISMS clauses.

05

Reporting

Within 3–5 business days post-fieldwork, you receive a formal audit report with findings classified as Major NC, Minor NC, Observation, or Recommendation, along with Corrective Action Requests for each nonconformity.

06

Certification Readiness

Once nonconformities are addressed, we confirm readiness and advise on certification body selection and what to expect from the Stage 1 and Stage 2 external audits.

Book Your Audit

Ready to get started? Book a 30-minute scoping call.