Internal Audit

Here we will refer to ISMS requirements text from the ISO27001 Standard – Chapter 9.2: 

The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to
1. the organization’s own requirements for its information security management system; and
2. the requirements of this International Standard;

b) is effectively implemented and maintained.

The organization shall:
c) plan, establish, implement and maintain an audit programme(s), including the
frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into
consideration the importance of the processes concerned and the results of previous audits;

d) define the audit criteria and scope for each audit;

e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

f) ensure that the results of the audits are reported to relevant management; and

g) retain documented information as evidence of the audit programme(s) and the audit results.

Next to external audit (by accredited companies that can deliver certifications), you will need to also perform an Internal Audit. You can see this as an exam for external audit. The goal of the Internal audit is to make sure the ISMS conforms to the organization’s own requirements (information security policy, procedures, security objectives, etc.) as well as to the requirements in ISO 27001 and evaluates whether the ISMS is effectively implemented and maintained . Check Templates section for any policy or procedure you might still need to create. 

Our Compleye Vision is to develop a Real-Time Audit feature in Compleye Online, that will cover 80% of the internal audit online, real-time and automated. Over the past years we have developed an approach that works during external audits – and is working towards our vision of Real-Time Audit.

The Audit template we use – with criteria – refer to the evidence we can find in Compleye Online Platform, and will be improved on a monthly base. So – until the Real-Time Audit feature is ready, please reach out to us for the latest templates, when you are ready to take up this job.

In the meantime there are 2 options:

  1. DIY – Use our Internal Audit Procedure Template (focused on the process and documenting every step to be compliant with the ISO27001 requirements). Make sure, you can assign a team member (not in an ISMS role) to this job for objectivity.
  2. You can make use of the Compleye Services for this task – by assigning an external internal auditor, with experience and knowledge you can make use this as a good preparation for external audit. 

Furthermore keep in mind:

  • Plan to start with performing the Internal Audit 2 to 3 months before scheduled External Audit. As the first time this will take a lot of time and you will need to audit every aspect of the ISO27001 Standard.
  • Please read first the Internal Audit Process to understand what needs to be done – the manual process can take up to days of work.
  • All findings – from Internal Auditor – will need to be addressed by the ISMS Team, so make sure the right people (including Management/C-level) are part of this process. That is why we embedded in the process the investigation step; meaning that if we cannot find the evidence, you can provided during a session. The final report of internal audit will have finding that you will need to turn into new improvements – same process like Assessments.
  • The Standard requirements for you to have an Audit Plan for the entire period of Certification (3 years);
    Meaning that before the external audit you will need to audit every part of the ISO27001 norm and you can spread the norm requirements over the following years.  In the Compleye Vision of Real-Time Audit, we believe that you will need to have an overview of (as much as possible) requirements that you can track automatically. This means that you will can perform an internal audit on a yearly base on all requirements. An even better preparation for external audit. 
  • The main difference between Assessment and Audit 
    Generally, the purpose of an assessment  is to get a snapshot of the current reality of your organization. The purpose of an  audit  is more pointed and focused on compliance. An audit also measures the current reality, but it then compares it against a specific standard. This will illuminate specific gaps that should be corrected.

More in-depth information:

– Template Internal Audit Procedure

You need to add your Internal Reports to this section, evaluate the report by listing the findings and record the approval of the assessment and the findings by the management team. 

You can add new report by clicking on “Edit” button


Now you can upload new internal audit document. Make sure that the name of the Internal audit represent the period its been created for or the stage that the report is in – draft or final. 


After adding new internal report you need to document the findings by adding a new assessment, fill in the date it took place and write down the findings (option add as many findings as needed) 


As part of the mandatory Internal Audit process review – management team will need to approve the assessment and formulated findings, you can do that by selecting the approval date and approve. 


Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.