Home / ISO 27001 Tutorials / How to do an ISO 27001 Internal Audit + Template

How to do an ISO 27001 Internal Audit + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Internal Audit

If you are going for ISO 27001 certification or you are already certified then you are going to have to perform internal audits.

Internal audits are part of the continual improvement process. They check that everything is working as it should and identify any areas that could be improved.

What is an ISO 27001 Internal Audit?

ISO 27001 internal audit is the process of internally independently verifying the effectiveness of the information security management system and information security controls.

Applicability to Small Businesses, Tech Startups, and AI Companies

Internal audit is useful for any size company, no matter how big or small you are. Here’s how it applies:

  • Small Businesses: You can use it to show your customers that you take their data seriously. It helps you build trust and can give you a leg up on the competition.
  • Tech Startups: For you, it’s a great way to show potential investors and partners that you’re mature and responsible with your data. It helps you get ready for growth and keeps your operations secure.
  • AI Companies: Since you deal with so much data, this audit helps you make sure you’re handling it responsibly and ethically. It’s key to keeping your algorithms safe and your data processing secure.

ISO 27001 Internal Audit Template

Before we look at the step by step guide lets consider some helpful templates.

The best way is to get a copy of the Ultimate ISO 27001 Toolkit of which the ISO 27001 Audit Toolkit is a part. We have made the ISO 27001 Audit Toolkit available standalone.

The ISO 27001 Audit Toolkit includes everything you need to conduct ISO 27001 audits and ISO 27001 gap analysis.

ISO 27001 Gap Analysis and Audit Toolkit

Why do ISO 27001 Internal Audits?

Internal audit is a requirement of the ISO 27001 standard and covered explicitly in ISO 27001:2022 Clause 9.2 Internal Audit.

These audits are designed to help you improve the information security management system and ensure that it still meets the requirements of the ISO 27001 standard. It helps you spot weak spots in your security before a real problem happens. It’s like a fire drill for your data.

Who should conduct an ISO 27001 Internal Audit?

Internal audits should be performed by internal employees of the organisation. The caveat is that the person must have the experience and skills required to conduct an audit and be independent of the area being audited. If you do not have the competence or skills then an internal audit can be outsourced to a third party.

Being independent of the area being audited means that you must not be accountable, responsible or operate the area that is audited.

In this article I show you how you can conduct the internal as an internal employee.

When do you do an ISO 27001 internal audit?

You should do an internal audit at least once a year. It’s a good idea to do it before your big certification audit. You can also do one after a major change in your business, like launching a new product or moving to a new office.

There are typical 4 scenarios when an internal audit will be conducted:

  • Prior to the ISO 27001 certification audit
  • At least once annually
  • After an incident
  • After a significant change

Where do you need it?

You need to do the audit everywhere in your company where you handle information. That means you should check your computers, your servers, your cloud storage, and even how your employees handle paper documents.

How to Conduct and ISO 27001 Internal Audit: Step-By-Step

Time needed: 1 hour and 30 minutes

How to conduct an ISO 27001 Internal Audit

  1. Create your ISO 27001 Audit Plan

    The audit plan document allows you to plan both the internal and external audits for the year and to record when those audits took place. 

    You will complete the audit plan for the year ahead. Remembering that audit is based on risk the following are considerations when planning audits:

    Plan your external audits first. These represent anchor points and give you a goal and target by which your internal audits should have completed. 

    The entire ISMS and the Annex A / ISO 27002 controls require auditing at least once in a 12-month period.

    When considering if an area requires auditing more than once consider if the control represents a high-risk area or a significant incident or failing has occurred with the control in the last 12 months.

    Note: Remember to audit both the ISMS and the ANNEX A controls.

    ISO 27001 Audit Plan Example 2

  2. Keep the audit plan up to date

    The audit plan is updated based on changes and scheduling requirements. The following are usual scenarios when the audit plan will require updating:

    Staff availability changes
    Your audit plan slips
    You have a significant incident

    When the audit plan changes it should be presented at the next Management Review Team Meeting and recorded in the minutes of the meeting.

    Note: Remember to update your document version control 

  3. Identify the control owners

    The conduct and internal audit we need to know who we are going to audit. Identify and document the information security control owners and contact details.

    The RASCI document is used to record who is accountable and who is responsible for the controls. Using this document, you will have recorded the people to speak to.

    ISO 27001 RASCI Matrix Free PDF Example 4

  4. Decide on your audit approach

    Audit is based on ‘If it is not written down it does not exist’. Your audit will look for evidence of documents, files, records. You have 3 main options in conducting an audit and you can choose one or a combination of the following:

    Interview: Speaking to people and seeking answers to questions on controls. Be sure to record the date, time, location and who as well as the notes from the interview. It is best practice though not essential to send the record of the interview to the interviewee stating that if you have misunderstood or misrepresented for them to send you back the changes. 

    Observation of process and activity: Like an interview you will sit with the person and observe either the systems they use or the operation of the process as they perform it. Follow the same guidelines as for interview. 

    Review of documents and records: Speaking to control owners you will ask them to send you links to or copies of the documentation and records that make up the control. It can include screenshots. You are looking for the evidence of the operation of the process and control. 

  5. Contact the Control Owners

    Make contact with the person or persons that you are going to audit. Introduce yourself and explain the context of what you are going to do, what you are going to cover in the audit and what the outcome will be. Explain to them your approach to the audit based on the 3 options discussed when deciding your audit approach. Ask them for the best times and dates for holding a 1-hour meeting to conduct the audit and be flexible to their schedule. You want the person onside and comfortable.

  6. Arrange the Audit Meeting

    Your audit meeting can take from 10 minutes up to 1 hour depending on the maturity of the process and the availability of the evidence. Schedule your first meeting for 1 hour. 

    Create and send an agenda that covers:
    The time, location, and attendees 
    The details of the control objectives you will cover.
    The list of documents or types of documents and records you would like access to .

    Send the agenda and the meeting request in good time and be prepared to reschedule based on people’s availability.

    Save a copy of the agenda in the audit folder for your records.

    For a face-to-face meeting ensure that the meeting takes place in location with a screen on which the person can display any relevant documents.

    For a web-based meeting ensure your environment is set up for a professional level meeting and your technology is properly configured. If sharing a desktop be sure that no confidential documents are open, that notifications are disabled, that chat is disabled. 

  7. Conduct your first meeting

    Introduce yourself and explain the context of what you are doing, the agenda and what you are hoping to achieve. Explain the audit approach that you have decide to take.  Explain that this is not a test, that not knowing an answer is perfectly acceptable and that a follow up meeting can be arranged for any gaps or documents can be shared after the meeting. 

  8. Perform the audit

    For each control that you are auditing:
    Read the control objective. 
    Clarify what the control objective is hoping to achieve.
    Seek evidence that the control and control objective is being met and record your findings.

    ISO27001 Audit Worksheet

  9. After the Audit Meeting

    If there are items that were not able to be covered and require follow up repeat the above process until you are satisfied you have covered all control objectives and reviewed all available evidence.

  10. Create the internal audit report

    Record your findings in the audit report. Include an audit report summary and your audit working papers.

  11. Report your audit findings to those audited

    Either in person or digitally present your audit findings to the person(s) audited.  Seek agreement that it represents what was discussed and the reality as they see it or clarifications they would wish to make. It may be that you have misunderstood something or that further evidence is available but was not provided on the day. 
    Be clear that the findings are not a reflection on any individual or their role and are not a comment on the operation in either a positive or negative way. Explain the findings are objective based on evidence provided. Where there is a request to provide additional supporting evidence consider setting a time limit.

  12. Report your audit findings to the Management Review Team

    Present the audit report and findings to the management review team and interested parties.

  13. Update the Incident and Corrective Action Log

    Update the Incident and Corrective Actions Log with nonconformities and the corrective actions. 

    ISO27001-Incident-and-Corrective-Action-Log-Example

  14. Update the Risk Register

    Consider if a new risk is required on the risk register and to be managed as part of the risk management process.
      ISO 27001 Risk Register Example 2

  15. Update the Audit Schedule

    Update the audit schedule to show that the audit that was conduct. 
    Update the forward schedule for future audits as required based on the outcome of this audit. If Non-Conformities were observed, consider scheduling a reaudit in 3 months time. 
    Update all document version control information.

Watch the YouTube tutorial How to implement ISO 27001 Clause 9.2 Internal Audit

How do you implement it?

After you find things to fix, you need to make a plan to fix them. This is called the implementation phase. You should assign tasks to people, set deadlines, and then check later to make sure the fixes were made.

Examples of using it for small businesses

Imagine you’re a small online store. Your audit might focus on things like making sure your payment system is secure, that you’re not keeping old customer credit card numbers, and that your employees are using strong passwords.

Examples of using it for tech startups

As a tech startup, your audit might look at your development process. Are you checking your code for security bugs? Are you testing new features to make sure they’re safe? You’ll also check how you protect your intellectual property.

Examples of using it for AI companies

For an AI company, you’d audit how you collect and store the data you use to train your models. Are you anonymising the data? Are you following privacy rules? You’d also check to make sure your models are protected from being tampered with.

How can the ISO 27001 toolkit help?

The ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.

ISO 27001 Toolkit

Which information security standards need it?

The internal audit is a key part of the ISO 27001 standard. It’s how you prove to the auditors that you’ve been doing the right things to protect your information.

Other standards that need it include:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • DORA (Digital Operational Resilience Act)
  • NIS2 (Network and Information Security (NIS) Directive) 
  • SOC 2 (Service Organisation Control 2)
  • NIST (National Institute of Standards and Technology) 
  • HIPAA (Health Insurance Portability and Accountability Act)

ISO 27001 Audit Plan Example

ISO 27001 Audit Plan Example

ISO 27001 Accountability Matrix Example

ISO 27001 RASCI Matrix Free PDF Example 3

ISO 27001 Internal Audit Worksheet Example

ISO27001 Audit Worksheet

ISO 27001 Incident and Corrective Action Log Example

ISO27001-Incident-and-Corrective-Action-Log-Example

ISO 27001 Risk Register Example

ISO 27001 Risk Register Example 2

ISO 27001 Internal Audit FAQ

What’s the difference between an internal and an external audit?

An internal audit is done by your company, while an external audit is done by a professional, certified auditor.

How long does an internal audit take?

It depends on your company’s size, but it can take anywhere from a few days to a few weeks.

Do I have to hire a consultant?

No, you can do it yourself, but a consultant can be a great help, especially the first time.

What if I find a major problem?

Don’t panic! The point of the audit is to find problems so you can fix them.

Can I do it all online? 

Yes, you can use online tools and templates to help you.

How often do I have to do it?

The standard says at least once a year.

What’s a non-conformity?

It’s a fancy word for something that’s not following the rules of the standard.

Can I fail an internal audit?

It’s not about passing or failing, but about finding areas for improvement.

Do I have to do it before getting certified?

Yes, it’s a required step.

What if my business is super small?

Even if you’re a one-person business, you can still follow the steps to make sure your data is safe.

Do I need special software? 

You can use simple tools like spreadsheets, but there are also specialised tools for audits.

What’s the best way to get started?

Start with a simple plan and a good template.

What’s the most common mistake? 

Not documenting your findings is a big one.

How much does it cost?

The cost is mainly your time, but if you hire a consultant or buy a toolkit, that’s an added cost.

What’s the biggest benefit?

The biggest benefit is knowing that your information is as safe as it can be.

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.