Audit

What is an audit?

Audit is a systematic, independent process used to evaluate the effectiveness of an organisation’s security framework. The Primary Implementation Requirement involves conducting periodic internal reviews to verify compliance, providing the Business Benefit of identifying technical gaps before external certification bodies assess the Information Security Management System.

What is an audit?

An audit is a systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which a set of criteria is fulfilled. In the context of ISO 27001, an audit is used to check if an organisation’s Information Security Management System (ISMS) meets the standard’s requirements. It is conducted by an auditor and based on audit scope.

Types & Examples

  • Internal Audit: An audit conducted by the organisation itself. This is a mandatory and essential dress rehearsal to identify any gaps or weaknesses in the ISMS before an external audit.
  • External Audit: An audit conducted by an independent, accredited third-party certification body. This type of audit is required for an organisation to achieve and maintain its ISO 27001 certification.
  • Surveillance Audit: A periodic external audit (typically annual) after initial certification to ensure the organisation is continuing to comply with the standard.

How to implement Audit

Implementing a rigorous ISO 27001 audit process is the primary mechanism for verifying that your Information Security Management System (ISMS) is functioning as intended. By following this structured ten step framework, you will identify technical gaps, satisfy the requirements of Clause 9.2, and ensure your organisation is fully prepared for an accredited certification body assessment.

1. Define the Audit Programme and Scope

Formalise the boundaries of your audit to ensure every critical process is scrutinised. This results in a clear roadmap for the internal audit cycle, preventing the omission of high-risk business areas.

       
  • Establish an annual internal audit programme: result: documented schedule.
    •    
  • Define the audit scope to include all assets in the primary Asset Register: result: clear boundary definition.
    •    
  • Identify relevant legal, regulatory, and contractual requirements to be verified.

2. Auditor Selection and Asset Validation

Select competent, independent individuals to perform the assessment to ensure objective results. This results in a high-integrity audit report that will be respected by external Lead Auditors.

       
  • Assign auditors who are independent of the function being audited: result: impartiality verification.
    •    
  • Map Identity and Access Management (IAM) roles to ensure auditors have “read-only” access to evidence: result: secure audit trails.
    •    
  • Validate that all technical assets and physical locations are included in the audit plan.

3. Evidence Collection and Fieldwork

Execute technical fieldwork and conduct staff interviews to gather objective evidence of control effectiveness. This results in a data-driven assessment rather than a simple checklist exercise.

       
  • Verify technical implementations: such as Multi-Factor Authentication (MFA) and encryption settings: result: technical assurance.
    •    
  • Review Rules of Engagement (ROE) documents to ensure staff follow authorised procedures: result: operational compliance.
    •    
  • Execute sample testing of access logs and change management records.

4. Gap Analysis and Remediation

Identify and categorise non-conformities to initiate the corrective action process. This results in the systematic closure of security gaps before they can be exploited by external threats.

       
  • Categorise findings as Major Non-conformity, Minor Non-conformity, or Opportunity for Improvement: result: risk prioritisation.
    •    
  • Provision Corrective Action Plans (CAP) for all identified gaps: result: formal remediation tracking.
    •    
  • Audit the effectiveness of remediation actions after implementation to confirm closure.

5. Management Review and External Certification

Conduct a formal management review of audit findings to ensure senior leadership is aware of the ISMS status. This results in the final sign-off required to engage an accredited certification body.

       
  • Present audit reports to the management board: result: leadership oversight.
    •    
  • Engage an accredited certification body for Stage 1 and Stage 2 audits: result: external validation.
    •    
  • Finalise the Statement of Applicability (SoA) based on the latest internal audit findings: result: certification readiness.

Audit FAQ

What is an ISO 27001 audit?

An ISO 27001 audit is a systematic and independent examination of an organisation’s Information Security Management System (ISMS) to verify its effectiveness and compliance with the standard. 100% of organisations seeking formal certification must undergo this process, which evaluates whether technical controls and policies successfully mitigate identified security risks.

   

What is the difference between internal and external audits?

   

The primary difference lies in the objective: internal audits (Clause 9.2) are self-conducted checks to ensure readiness, while external audits are performed by accredited Certification Bodies to grant the official certificate. Statistical data shows that conducting at least two internal audit cycles annually increases the probability of passing the external Stage 2 audit by over 40%.

   

How much does an ISO 27001 audit cost?

   

The cost of an ISO 27001 external audit typically ranges from £5,000 to £20,000 for small to medium enterprises, depending on organisational size and complexity. In the United Kingdom, professional certification body day rates for auditors generally average between £1,200 and £1,800, excluding VAT and administrative fees.

   

What is a major non-conformity in an ISO 27001 audit?

   

A major non-conformity is a significant failure to meet a mandatory requirement of the standard or a total absence of a required control. Identifying a major non-conformity results in a 0% recommendation for certification; the organisation must implement corrective actions and undergo a follow-up assessment before the certificate can be issued.

   

How often do ISO 27001 surveillance audits occur?

   

Surveillance audits occur annually following the initial certification to ensure the ISMS remains effective throughout the three-year cycle. While the initial certification represents Year 1, surveillance audits cover 66% of the remaining cycle (Years 2 and 3) before a full recertification audit is required in Year 4.

Context

The ISO 27001 standard mandates that organisations conduct internal audits at planned intervals (ISO 27001 Clause 9.2 Internal Audit) to ensure their ISMS is effectively implemented and maintained. Audits are a core component of the check phase in the Plan-Do-Check-Act (PDCA) cycle, driving continual improvement.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top