High Table Logo Website

Home / ISO 27001 Glossary of Terms / Auditor

Auditor

11/09/2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

Auditor Definition - ISO 27001 Glossary

An auditor is a person who has the competency to conduct an audit. In the context of ISO 27001, an auditor is trained to systematically and independently evaluate an organisation’s Information Security Management System (ISMS) against the requirements of the standard. An auditor’s role is not to offer advice but to objectively collect evidence and report on the effectiveness of the ISMS.

Types & Roles

  • Internal Auditor: A member of the organisation who has been trained to perform an audit. They help the organisation identify non-conformities and opportunities for improvement.
  • External Auditor: An auditor from an accredited third-party certification body. Their independent assessment is required for an organisation to achieve and maintain its ISO 27001 certification.

Key Responsibilities

  • Planning the Audit: Defining the scope, criteria, and objectives of the audit.
  • Collecting Evidence: Gathering information through interviews, document reviews, and observations.
  • Evaluating Findings: Objectively assessing the evidence against the ISO 27001 standard’s requirements.
  • Reporting: Documenting the audit findings, including any non-conformities, to the organisation’s management.

ISO 27001 Context

The role of an auditor is vital for the Check phase of the Plan-Do-Check-Act (PDCA) cycle. The auditor’s findings provide the organisation with the necessary information to correct deficiencies and continually improve its information security posture.

Tags:
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition
ISO 27001 Jumpstart Kit
ISO 27001 Consultant Toolkit
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.