A comprehensive ISO 27001 internal audit conducted by IBEC covers the full scope of your ISMS. In every engagement, we examine the areas listed below, with depth calibrated to your certification stage and audit objectives.

Mandatory Clauses (4-10)

• Clause 4 – Context of the Organization – Review of interested parties, scope definition, and ISMS boundary documentation.

• Clause 5 – Leadership – Evidence of top management commitment, ISMS policy approval, and assignment of roles and responsibilities.

• Clause 6 – Planning – Risk assessment methodology, risk register completeness, Statement of Applicability (SoA) accuracy, and treatment plan adequacy.

• Clause 7 – Support – Resource allocation, competence records, awareness program evidence, and document control procedures.

• Clause 8 – Operation – Operational planning and control, risk treatment implementation, and supplier management.

• Clause 9 – Performance Evaluation – Internal audit program records, monitoring and measurement results, and management review documentation.

• Clause 10 – Improvement – Nonconformity records, corrective action logs, and evidence of continual improvement activity.

Annex A Control Themes

• Organizational Controls (5.1-5.37) – Policies, roles, threat intelligence, asset management, access control, supplier relationships, incident management, and business continuity.

• People Controls (6.1-6.8) – Screening, employment terms, security awareness and training, disciplinary processes, and remote work controls.

• Physical Controls (7.1-7.14) – Physical security perimeters, entry controls, clear desk and screen policies, equipment security, and secure disposal.

• Technological Controls (8.1-8.34) – User endpoint devices, privileged access, cryptography, secure development, vulnerability management, network security, and data masking.

Common ISO 27001 Internal Audit Findings – What We Find

Organizations that conduct their first ISO 27001 internal audit, or those that have relied on informal self-assessments, frequently encounter a predictable set of gaps. Awareness of these common findings helps organizations prioritize their preparation efforts.

Common Findings and Why They Matter

Incomplete or Inaccurate Statement of Applicability (SoA) – The SoA must justify every inclusion and exclusion of Annex A controls with documented rationale.  An incomplete SoA is one of the most common major nonconformities in Stage 2 audits.

Risk Assessment Not Linked to Treatment Plan – ISO 27001 requires a traceable connection between identified risks, treatment decisions, and selected controls.  Gaps in this chain indicate a process that exists on paper but not in practice.

Lack of Evidence for Control Operation – Documented policies exist, but no records demonstrate that controls are being executed.  Auditors look for logs, screenshots, meeting minutes, and other objective evidence.

Internal Audit Program Not Completed as Scheduled – Organizations frequently plan internal audits, but fail to execute them within the required intervals, creating a gap in Clause 9.2 compliance.

Management Review Records Are Insufficient – ISO 27001 requires that management reviews address specific inputs (audit results, risk status, performance metrics) and produce documented outputs.  Generic meeting notes do not satisfy the requirement.

Supplier and Third-Party Risk Not Formally Assessed – Many organizations manage key suppliers informally.  ISO 27001 requires documented supplier agreements and periodic security assessments of third parties with access to information assets.

Types of Organizations That Benefit from IBEC’s ISO 27001 Internal Audit Service

IBEC’s internal audit services are designed for organizations at any stage of the ISO 27001 lifecycle:

• Organizations Pursuing Initial Certification to ISO 27001 who need an independent pre-assessment before their Stage 2 audit to avoid costly nonconformities.

• Certified Organizations Approaching Surveillance or Recertification Audits who want to verify ongoing conformance and address any drift from certified status.

• Organizations That Lack Qualified Internal Audit Resources and need an external partner to fulfill the Clause 9.2 requirement with objectivity and independence.

• Organizations That Have Received Nonconformities from Their Registrar and need structured corrective action support and follow-up verification.

• Companies in Regulated Industries (healthcare, financial services, defense, cloud/SaaS) where ISO 27001 conformance is required by customers, partners, or regulators.

Speak with us to get your ISO 27001 internal audit scheduled today!