The five stages of a successful ISO 27001 audit

Luke Irwin 22nd June 2021

Internal audits are an essential part of ISO 27001 compliance, so it’s important that you know what you’re doing.

Fortunately, this blogs explains the five steps you need to follow to ensure that your internal audit is a success.

1. Scoping and pre-audit survey

You must conduct a risk-based assessment to determine the focus of the audit, and to identify which areas are out of scope.

Information sources could include industry research, previous ISMS (information security management system) reports or other documents, such as the ISMS policy.

Make sure that the audit’s scope is relevant in relation to the organisation – it should normally match the scope of the ISMS being certified.

2. Planning and preparation

After agreeing the ISMS audit scope, auditors must break it down into greater detail.

This involves generating an ISMS audit workplan, in which the timing and resourcing of the audit is agreed with management. Conventional project planning charts, such as Gantt, may prove helpful.

Audit plans identify and put boundaries around the remaining phases of the audit, and often include ‘checkpoints’ that detail specific opportunities for auditors to provide informal interim updates to managers.

Such updates allow auditors to raise concerns regarding access to information or people, and for management to raise concerns regarding the audit process.

You must specify the timing of important audit work so that you can prioritise aspects that you believe pose the greatest risk should the ISMS be found inadequate.

3. Fieldwork

Once an ISMS audit workplan has been generated, auditors must gather evidence by interviewing staff, managers and other stakeholders associated with the ISMS.

They should also review ISMS documents, printouts and data, and observe ISMS processes in action.

4. Analysis

The audit evidence should be sorted, filed and reviewed in relation to the risks and control objectives.

Occasionally, analysis may identify gaps within the evidence or indicate the need for more audit tests, which will involve further field testing.

5. Reporting

This essential component of the audit process typically consists of:

An introduction clarifying the scope, objectives, timing and extent of the work performed;
An executive summary indicating the key findings, a brief analysis and a conclusion;
The intended report recipients and, where appropriate, guidelines on classification and circulation;
Detailed findings and analysis;
Conclusions and recommendations; and
A statement from the auditor detailing recommendations or scope limitations.

The draft audit report should be presented to and discussed with management. Further review and revision may be necessary, because the final report generally involves management committing to an action plan.

Achieve ISO 27001 certification with IT Governance

Having helped more than 800 organisations certify to ISO 27001, IT Governance is a world leader when it comes to implementing the Standard.

If you’re looking for help certifying to ISO 27001 or simply want to boost your information security practices, we have a range of services that can help.

This includes support completing specific tasks, such as the internal audit and gap analysis, as well as consultancy services that guide you through the entire process.

Whether you’re after a little help or a lot of help, IT Governance has you covered.

Find out more

A version of this blog was originally published on 27 November 2017.

The GDPR has arrived: What happens now?

Top 10 trends to inform your cyber security strategy – part 1

How to document your information security policy

About The Author

Luke Irwin

Luke Irwin is a former writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

The five stages of a successful ISO 27001 audit - IT Governance Blog En (2024)