ISO27001:2022 FAQ

Home / ISO 27001 Tutorials / How to do an ISO 27001 Internal Audit + Template

How to do an ISO 27001 Internal Audit + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Internal Audit

If you are going for ISO 27001 certification or you are already certified then you are going to have to perform internal audits.

Internal audits are part of the continual improvement process. They check that everything is working as it should and identify any areas that could be improved.

ISO 27001 Internal Audit
What is an ISO 27001 Internal Audit?
Applicability to Small Businesses, Tech Startups, and AI Companies
ISO 27001 Internal Audit Template
Why do ISO 27001 Internal Audits?
Who should conduct an ISO 27001 Internal Audit?
When do you do an ISO 27001 internal audit?
Where do you need it?
How to Conduct and ISO 27001 Internal Audit: Step-By-Step
How do you implement it?
Examples of using it for small businesses
Examples of using it for tech startups
Examples of using it for AI companies
How can the ISO 27001 toolkit help?
Which information security standards need it?
ISO 27001 Audit Plan Example
ISO 27001 Accountability Matrix Example
ISO 27001 Internal Audit Worksheet Example
ISO 27001 Incident and Corrective Action Log Example
ISO 27001 Risk Register Example
ISO 27001 Internal Audit FAQ

What is an ISO 27001 Internal Audit?

ISO 27001 internal audit is the process of internally independently verifying the effectiveness of the information security management system and information security controls.

Applicability to Small Businesses, Tech Startups, and AI Companies

Internal audit is useful for any size company, no matter how big or small you are. Here’s how it applies:

Small Businesses: You can use it to show your customers that you take their data seriously. It helps you build trust and can give you a leg up on the competition.
Tech Startups: For you, it’s a great way to show potential investors and partners that you’re mature and responsible with your data. It helps you get ready for growth and keeps your operations secure.
AI Companies: Since you deal with so much data, this audit helps you make sure you’re handling it responsibly and ethically. It’s key to keeping your algorithms safe and your data processing secure.

ISO 27001 Internal Audit Template

Before we look at the step by step guide lets consider some helpful templates.

The best way is to get a copy of the Ultimate ISO 27001 Toolkit of which the ISO 27001 Audit Toolkit is a part. We have made the ISO 27001 Audit Toolkit available standalone.

The ISO 27001 Audit Toolkit includes everything you need to conduct ISO 27001 audits and ISO 27001 gap analysis.

ISO 27001 Gap Analysis and Audit Toolkit

Why do ISO 27001 Internal Audits?

Internal audit is a requirement of the ISO 27001 standard and covered explicitly in ISO 27001:2022 Clause 9.2 Internal Audit.

These audits are designed to help you improve the information security management system and ensure that it still meets the requirements of the ISO 27001 standard. It helps you spot weak spots in your security before a real problem happens. It’s like a fire drill for your data.

Who should conduct an ISO 27001 Internal Audit?

Internal audits should be performed by internal employees of the organisation. The caveat is that the person must have the experience and skills required to conduct an audit and be independent of the area being audited. If you do not have the competence or skills then an internal audit can be outsourced to a third party.

Being independent of the area being audited means that you must not be accountable, responsible or operate the area that is audited.

In this article I show you how you can conduct the internal as an internal employee.

When do you do an ISO 27001 internal audit?

You should do an internal audit at least once a year. It’s a good idea to do it before your big certification audit. You can also do one after a major change in your business, like launching a new product or moving to a new office.

There are typical 4 scenarios when an internal audit will be conducted:

Prior to the ISO 27001 certification audit
At least once annually
After an incident
After a significant change

Where do you need it?

You need to do the audit everywhere in your company where you handle information. That means you should check your computers, your servers, your cloud storage, and even how your employees handle paper documents.

How to Conduct and ISO 27001 Internal Audit: Step-By-Step

Time needed: 1 hour and 30 minutes

How to conduct an ISO 27001 Internal Audit

Create your ISO 27001 Audit Plan
The audit plan document allows you to plan both the internal and external audits for the year and to record when those audits took place.

You will complete the audit plan for the year ahead. Remembering that audit is based on risk the following are considerations when planning audits:

Plan your external audits first. These represent anchor points and give you a goal and target by which your internal audits should have completed.

The entire ISMS and the Annex A / ISO 27002 controls require auditing at least once in a 12-month period.

When considering if an area requires auditing more than once consider if the control represents a high-risk area or a significant incident or failing has occurred with the control in the last 12 months.

Note: Remember to audit both the ISMS and the ANNEX A controls.
Keep the audit plan up to date
The audit plan is updated based on changes and scheduling requirements. The following are usual scenarios when the audit plan will require updating:

Staff availability changes
Your audit plan slips
You have a significant incident

When the audit plan changes it should be presented at the next Management Review Team Meeting and recorded in the minutes of the meeting.

Note: Remember to update your document version control
Identify the control owners
The conduct and internal audit we need to know who we are going to audit. Identify and document the information security control owners and contact details.

The RASCI document is used to record who is accountable and who is responsible for the controls. Using this document, you will have recorded the people to speak to.
Decide on your audit approach
Audit is based on ‘If it is not written down it does not exist’. Your audit will look for evidence of documents, files, records. You have 3 main options in conducting an audit and you can choose one or a combination of the following:

Interview: Speaking to people and seeking answers to questions on controls. Be sure to record the date, time, location and who as well as the notes from the interview. It is best practice though not essential to send the record of the interview to the interviewee stating that if you have misunderstood or misrepresented for them to send you back the changes.

Observation of process and activity: Like an interview you will sit with the person and observe either the systems they use or the operation of the process as they perform it. Follow the same guidelines as for interview.

Review of documents and records: Speaking to control owners you will ask them to send you links to or copies of the documentation and records that make up the control. It can include screenshots. You are looking for the evidence of the operation of the process and control.
Contact the Control Owners
Make contact with the person or persons that you are going to audit. Introduce yourself and explain the context of what you are going to do, what you are going to cover in the audit and what the outcome will be. Explain to them your approach to the audit based on the 3 options discussed when deciding your audit approach. Ask them for the best times and dates for holding a 1-hour meeting to conduct the audit and be flexible to their schedule. You want the person onside and comfortable.
Arrange the Audit Meeting
Your audit meeting can take from 10 minutes up to 1 hour depending on the maturity of the process and the availability of the evidence. Schedule your first meeting for 1 hour.

Create and send an agenda that covers:
The time, location, and attendees
The details of the control objectives you will cover.
The list of documents or types of documents and records you would like access to .

Send the agenda and the meeting request in good time and be prepared to reschedule based on people’s availability.

Save a copy of the agenda in the audit folder for your records.

For a face-to-face meeting ensure that the meeting takes place in location with a screen on which the person can display any relevant documents.

For a web-based meeting ensure your environment is set up for a professional level meeting and your technology is properly configured. If sharing a desktop be sure that no confidential documents are open, that notifications are disabled, that chat is disabled.
Conduct your first meeting
Introduce yourself and explain the context of what you are doing, the agenda and what you are hoping to achieve. Explain the audit approach that you have decide to take. Explain that this is not a test, that not knowing an answer is perfectly acceptable and that a follow up meeting can be arranged for any gaps or documents can be shared after the meeting.
Perform the audit
For each control that you are auditing:
Read the control objective.
Clarify what the control objective is hoping to achieve.
Seek evidence that the control and control objective is being met and record your findings.
After the Audit Meeting
If there are items that were not able to be covered and require follow up repeat the above process until you are satisfied you have covered all control objectives and reviewed all available evidence.
Create the internal audit report
Record your findings in the audit report. Include an audit report summary and your audit working papers.
Report your audit findings to those audited
Either in person or digitally present your audit findings to the person(s) audited. Seek agreement that it represents what was discussed and the reality as they see it or clarifications they would wish to make. It may be that you have misunderstood something or that further evidence is available but was not provided on the day.
Be clear that the findings are not a reflection on any individual or their role and are not a comment on the operation in either a positive or negative way. Explain the findings are objective based on evidence provided. Where there is a request to provide additional supporting evidence consider setting a time limit.
Report your audit findings to the Management Review Team
Present the audit report and findings to the management review team and interested parties.
Update the Incident and Corrective Action Log
Update the Incident and Corrective Actions Log with nonconformities and the corrective actions.
Update the Risk Register
Consider if a new risk is required on the risk register and to be managed as part of the risk management process.
Update the Audit Schedule
Update the audit schedule to show that the audit that was conduct.
Update the forward schedule for future audits as required based on the outcome of this audit. If Non-Conformities were observed, consider scheduling a reaudit in 3 months time.
Update all document version control information.

Watch the YouTube tutorial How to implement ISO 27001 Clause 9.2 Internal Audit

How do you implement it?

After you find things to fix, you need to make a plan to fix them. This is called the implementation phase. You should assign tasks to people, set deadlines, and then check later to make sure the fixes were made.

Examples of using it for small businesses

Imagine you’re a small online store. Your audit might focus on things like making sure your payment system is secure, that you’re not keeping old customer credit card numbers, and that your employees are using strong passwords.

Examples of using it for tech startups

As a tech startup, your audit might look at your development process. Are you checking your code for security bugs? Are you testing new features to make sure they’re safe? You’ll also check how you protect your intellectual property.

Examples of using it for AI companies

For an AI company, you’d audit how you collect and store the data you use to train your models. Are you anonymising the data? Are you following privacy rules? You’d also check to make sure your models are protected from being tampered with.

How can the ISO 27001 toolkit help?

The ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.

Get the Small Business ISO 27001 Toolkit >

Which information security standards need it?

The internal audit is a key part of the ISO 27001 standard. It’s how you prove to the auditors that you’ve been doing the right things to protect your information.

Other standards that need it include:

GDPR (General Data Protection Regulation)
CCPA (California Consumer Privacy Act)
DORA (Digital Operational Resilience Act)
NIS2 (Network and Information Security (NIS) Directive)
SOC 2 (Service Organisation Control 2)
NIST (National Institute of Standards and Technology)
HIPAA (Health Insurance Portability and Accountability Act)

ISO 27001 Audit Plan Example

ISO 27001 Accountability Matrix Example

ISO 27001 RASCI Matrix Free PDF Example 3

ISO 27001 Internal Audit Worksheet Example

ISO 27001 Incident and Corrective Action Log Example

ISO 27001 Risk Register Example

ISO 27001 Internal Audit FAQ

What’s the difference between an internal and an external audit?

An internal audit is done by your company, while an external audit is done by a professional, certified auditor.

How long does an internal audit take?

It depends on your company’s size, but it can take anywhere from a few days to a few weeks.

Do I have to hire a consultant?

No, you can do it yourself, but a consultant can be a great help, especially the first time.

What if I find a major problem?

Don’t panic! The point of the audit is to find problems so you can fix them.

Can I do it all online?

Yes, you can use online tools and templates to help you.

How often do I have to do it?

The standard says at least once a year.

What’s a non-conformity?

It’s a fancy word for something that’s not following the rules of the standard.

Can I fail an internal audit?

It’s not about passing or failing, but about finding areas for improvement.

Do I have to do it before getting certified?

Yes, it’s a required step.

What if my business is super small?

Even if you’re a one-person business, you can still follow the steps to make sure your data is safe.

Do I need special software?

You can use simple tools like spreadsheets, but there are also specialised tools for audits.

What’s the best way to get started?

Start with a simple plan and a good template.

What’s the most common mistake?

Not documenting your findings is a big one.

How much does it cost?

The cost is mainly your time, but if you hire a consultant or buy a toolkit, that’s an added cost.

What’s the biggest benefit?

The biggest benefit is knowing that your information is as safe as it can be.

Stuart Barker
ISO 27001 Expert and Thought Leader

Book a Call

ISO 27001 Toolkit: Tech Startup Edition

ISO 27001 Toolkit: Small Business Edition

ISO 27001 Toolkit: Consultant Edition

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.