ISO 27001 Internal Audits
Information Security Management Systems
What is ISO 27001?
ISO 27001:2022 is the international standard for information security management systems (ISMS). It takes a risk-based approach to managing sensitive information, ensuring it remains secure through people, processes, and technology controls across 93 Annex A controls.
Whether you're pursuing certification for the first time or need the annual internal audit required by Clause 9.2 to maintain your ISMS, our audits identify gaps and verify corrective actions before your certification body does.
What We Audit
Our ISO 27001 audits cover the full standard — ISMS requirements (Clauses 4–10) plus all 93 Annex A controls across four categories.
- 1Clauses 4–10: ISMS core requirements including context, leadership, planning, support, operation, performance evaluation, and improvement
- 2Organizational controls (37): Policies, roles, asset management, access control, supplier relationships, incident management
- 3People controls (8): Screening, awareness, training, disciplinary process, remote working
- 4Physical controls (14): Security perimeters, entry controls, equipment protection, secure disposal
- 5Technological controls (34): Endpoint security, access rights, cryptography, logging, network security, secure development
- 6GRC platform experience: We have hands-on experience with the Vanta and Drata auditor portals, including automated evidence retrieval, control mapping, and audit task management. We also support Sprinto.
What we commonly flag
Patterns observed across our ISO 27001 internal audits from 2022–2026. These are the kinds of things a certification body's Stage 2 auditor will flag if you don't address them first, and the kinds of things we help clients close before that happens.
Risk register & annual risk assessment cadence
Clause 6.1.2 · A.5.2 · A.5.3Risk registers and risk treatment plans drift past their annual update window, most often because the policy specifies an annual cadence, but no calendar item or GRC-platform task enforces it.
Statement of Applicability, controls left "in progress"
Clause 6.1.3SoA entries that read "in progress" or "not implemented" without a target completion date or compensating control. These don't fail the audit on their own, but they will fail Stage 2.
Policy acknowledgment gaps
A.5.10 · A.6.3Most policies are acknowledged by most personnel, but not all of them, by all of them. Gaps usually concentrate on third-party-management and acceptable-use policies, and on recent hires.
GRC platform evidence currency
Clause 9.1Annual or recurring tasks (penetration test, BCP exercise, awareness training, vendor review) that have a defined frequency in policy but lapse in Drata/Vanta. Common where a quarter slips.
BCP / DR test exercise execution
A.5.30The plan exists. The annual exercise (including a full back-up restore validation, RTO/RPO confirmation) is the part that gets skipped.
Vendor / supplier tracking
A.5.19 · A.5.20Active vendors that aren't in the supplier register, or registered vendors whose risk reviews are stale.
Network architecture documentation
A.8.20 · A.8.22Network segregation controls exist in practice but lack visual documentation, no diagrams of security zones, firewall rules, or data flow. Limits incident response speed.
SDLC threat modeling
A.8.25 · A.8.26Threat modeling not performed consistently for major releases, and "major release" itself isn't defined. STRIDE or OWASP-aligned threat-model artifacts are usually missing entirely.
Vulnerability remediation SLAs
A.8.8Critical/high vulnerabilities overdue against the remediation SLA the organization has set in its own Vulnerability Management Policy.
Security in the budgeting process
Clause 7.1Security spending happens, but isn't a line item in the planning process. Hard to demonstrate adequate resourcing to an external auditor.
Findings are aggregated patterns drawn from completed engagements. Client identities and engagement specifics are confidential.
Our Process
Typical engagement: 2 weeks (small org) to 6–12 weeks (medium org)
Inquiry & Scoping
We start with a discovery call to understand your organization, ISMS maturity, and audit objectives. This results in a clear scope agreement and engagement letter.
Audit Planning
We define audit objectives, criteria, and a schedule. You receive a document request list so your team can prepare ISMS documentation and evidence ahead of fieldwork.
Document Review
We review your ISMS documentation, policies, Statement of Applicability, risk register, previous audit results, and management review minutes against ISO 27001:2022 requirements. If you use Vanta, Drata, or another GRC platform, we review control status, test results, and evidence directly through the auditor portal. We identify areas to investigate during fieldwork and prepare annotated working papers.
Fieldwork
Starting with an opening meeting, we conduct interviews with your team, review documents and records, observe processes, and gather evidence to assess conformity against all applicable Annex A controls and ISMS clauses. We conclude with a closing meeting to share preliminary findings.
Reporting
Within 3–5 business days post-fieldwork, you receive a formal audit report with findings classified as Major NC, Minor NC, Observation, or Recommendation, along with Corrective Action Requests for each nonconformity.
Corrective Action Support
We issue Corrective Action Requests for each nonconformity and support your team through root cause analysis and remediation. Once actions are implemented, we verify effectiveness through evidence review before formally closing each finding. This typically takes 2–6 weeks.
Certification Readiness
Once all major nonconformities are closed and minor findings are addressed, we advise on certification body selection, what to expect from the Stage 1 and Stage 2 external audits, and confirm your readiness to proceed.
Book Your Audit
Ready to get started? Book a 30-minute scoping call.