Introduction
A central component of ISO 27001 compliance is the internal audit process. More than just a tick-box activity, ISO 27001 internal audits are a powerful mechanism for identifying security risks, closing compliance gaps, and driving continuous improvement across the ISMS.
In this article, we will explore what ISO 27001 internal audits are, why they matter, and how to conduct them effectively within your organisation.
What Is ISO 27001?
ISO/IEC 27001 is the leading international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. The standard follows a risk-based approach and promotes the protection of confidentiality, integrity, and availability of information.
An effective ISMS enables organisations to manage risks related to data breaches, cyberattacks, or misuse of information—threats that have become increasingly prevalent across all industries.
The Role of Internal Audits in ISO 27001
Clause 9.2 of ISO 27001 outlines the requirement for organisations to conduct internal audits at planned intervals. The purpose of the audit is to:
Determine whether the ISMS conforms to the organisation’s own requirements and the requirements of ISO 27001.
Assess the effective implementation and maintenance of the ISMS.
Identify opportunities for improvement.
An internal audit serves as a mirror, allowing organisations to critically evaluate how well their security controls, processes, and procedures are performing in practice.
Why Internal Audits Are Crucial
Organisations that treat internal audits as more than just a compliance requirement are better positioned to build resilient, future-ready information security systems. Here’s why internal audits are critical:
1. Verify Compliance with ISO 27001 and Regulatory Requirements
Internal audits help ensure that the ISMS aligns with ISO 27001 requirements. For medical device companies and healthcare service providers, audits can also uncover gaps related to GDPR, MDR, HIPAA, or local data protection laws.
2. Identify and Mitigate Security Risks
Audits enable early identification of vulnerabilities or nonconformities before they escalate into incidents. This proactive risk management approach is at the heart of ISO 27001.
3. Support Continuous Improvement
ISO 27001 promotes a Plan-Do-Check-Act (PDCA) model. Internal audits are part of the “Check” phase, helping evaluate whether policies and controls are functioning as intended and guiding corrective actions.
4. Prepare for Certification and Surveillance Audits
A well-conducted internal audit program prepares organisations for external audits by certification bodies, making sure that everything from documentation to control effectiveness is in top form.
Planning and Conducting an ISO 27001 Internal Audit
1. Establish an Audit Program
The audit program should cover the entire scope of your ISMS and be risk-based. Some areas may need to be audited more frequently based on their importance or history of nonconformities.
Define:
Objectives and criteria: What are you auditing against? (e.g. ISO 27001 clauses, internal policies)
Frequency: How often will audits be conducted?
Responsibilities: Who will plan, perform, and report the audits?
Methods: On-site, remote, interviews, document reviews, technical tests, etc.
2. Ensure Auditor Competency and Impartiality
Auditors must be competent—meaning they understand ISO 27001, the ISMS, and your business environment. They must also be impartial and not audit their own work. For smaller organisations, this may require using external auditors or cross-functional audits.
3. Prepare the Audit Plan
An audit plan outlines:
Scope and objectives
Areas and processes to be audited
Timeframes
Audit methods
Resources needed
The plan should be shared with relevant stakeholders in advance to minimise disruption and ensure availability of key personnel.
4. Conduct the Audit
During the audit, the auditor gathers objective evidence by:
Reviewing documentation and records
Interviewing personnel
Observing processes in action
Inspecting physical or digital security controls
The auditor then assesses compliance, identifies nonconformities, and records observations and opportunities for improvement.
5. Report Findings
The audit report should be clear, concise, and actionable. It typically includes:
Audit scope, criteria, and objectives
Summary of the audit process
Details of any nonconformities or observations
Recommendations or corrective actions
Conclusions on ISMS effectiveness
Reports should be communicated to top management and relevant process owners.
6. Follow-Up and Corrective Actions
Nonconformities identified during the audit must be addressed through corrective actions. This involves:
Root cause analysis
Planning and implementing corrective actions
Verifying their effectiveness
Closing the findings formally
ISO 27001 expects this follow-up to be documented and tracked to closure.
Common Pitfalls in ISO 27001 Internal Audits
Even well-intentioned audit programs can fall short. Watch out for these common issues:
Lack of objectivity: Auditors reviewing their own departments or systems can introduce bias.
Superficial audits: Merely reviewing policies without testing implementation won’t provide a true picture.
Neglecting risk-based focus: Treating all areas equally instead of focusing on high-risk or critical areas undermines the value of audits.
Poor documentation: Audit trails must be clearly recorded to support findings and demonstrate due diligence.
Failure to act on findings: If audit results are ignored, the cycle of improvement is broken.
Integrating Audits into the ISMS Lifecycle
ISO 27001 is not a one-time achievement—it’s a living system. Internal audits play a key role in the ongoing lifecycle of the ISMS:
Post-incident reviews: Internal audits can validate the implementation of changes after a security breach or issue.
Control maturity checks: Are controls still suitable as the organisation grows or adopts new technologies?
Alignment with business strategy: Periodic audits help ensure that the ISMS evolves alongside business goals and risk appetites.
Internal Audit Tools and Techniques
Depending on your organisation’s size and complexity, you can use various tools to enhance your internal audit process:
Checklists aligned with ISO 27001 clauses and Annex A controls
Audit management software like ISMS.online, Conformio, or manual trackers (Excel, Google Sheets)
Risk and control matrices to tie audit findings back to the ISMS risk assessment
Templates for audit plans, reports, and corrective action tracking
When to Consider External Support
For some organisations—especially SMEs or those new to ISO 27001—developing and maintaining an effective audit function internally can be challenging. In such cases, external consultants can:
Act as impartial auditors
Provide training and mentoring to internal staff
Review or design your audit program
Perform mock audits before certification
At Patient Guard, we support medical device manufacturers, healthcare providers, and digital health companies in building and maintaining effective ISMSs, including tailored internal audit support.
Frequently Asked Questions (FAQs)
There is no fixed frequency specified in the ISO 27001 standard. However, audits must be performed at planned intervals based on the needs of the business and the risk profile of the ISMS. Most organisations conduct internal audits annually, though high-risk areas or newly implemented controls may require more frequent auditing. The key is to ensure full ISMS coverage over a defined audit cycle (e.g., every 12 or 24 months).
Yes, but only if they are independent of the areas they are auditing and have the necessary competence. ISO 27001 requires internal auditors to be objective and impartial. If your IT team member is responsible for implementing controls, they shouldn’t audit those same controls. In smaller organisations, consider rotating responsibilities or engaging an external auditor to maintain independence.
Finding nonconformities is a normal and useful part of the internal audit process. Each nonconformity should be:
Documented clearly with supporting evidence
Assessed for risk or impact
Addressed through a corrective action plan
Reviewed to ensure the issue is fully resolved
Certification bodies will expect to see that internal findings are tracked and resolved in a structured way. It’s a sign of a healthy, functioning ISMS.
Not necessarily. You are only required to implement and audit the Annex A controls that are applicable to your ISMS, based on your risk assessment and Statement of Applicability (SoA). Your internal audit should check that:
The SoA correctly justifies which controls are included or excluded
The controls that are implemented are working effectively
There is evidence to support the control’s implementation and monitoring
This targeted approach ensures the audit remains relevant and risk-focused.
Conclusion: More Than a Checklist
ISO 27001 internal audits are not just a requirement—they’re a strategic tool that fosters risk awareness, drives compliance, and strengthens the integrity of your ISMS. When planned and executed thoughtfully, internal audits provide a window into the health of your security posture and a roadmap for continuous improvement.
If your organisation is pursuing ISO 27001 certification or simply wants to raise its information security maturity, embedding an effective internal audit process into your ISMS is a crucial step.
Need help setting up or performing your ISO 27001 internal audits?
Contact Patient Guard today for expert support tailored to the needs of your industry and your ISMS maturity level.
Resources
How 5G Connectivity is Revolutionizing the Medical Device Industry
The Internet of Medical Things (IoMT): Connecting Wearable Devices for Remote Patient Monitoring
Storage, Handling and Transport Validation of Medical Devices
Streamline EU MDR Compliance with Patient Guard’s Medical Device Software Tools
