Blog

ISO 27001 Internal Audit: How to Run One That Adds Value

An ISO 27001 internal audit can either be a painful annual chore or one of the most useful health checks your organisation does all year. Clause 9.2 of ISO 27001 expects you to run internal audits that test whether your ISMS is working, not just whether the paperwork exists.

Below is a practical way to approach your ISO 27001 internal audit so it adds value, supports certification and helps you meet local obligations such as the Privacy Act and APRA CPS 234 expectations around testing control effectiveness and internal audit.

What is an ISO 27001 internal audit meant to achieve?

At its core, an ISO 27001 internal audit is an independent check on two things:

  • Does your ISMS conform to ISO 27001 and your own internal requirements

  • Is it effective in managing information security risks, not just compliant on paper

Done well, it should:

  • Highlight real control gaps before your certification or surveillance audit

  • Give you evidence for management that security controls are working (or not)

  • Feed into continual improvement, rather than generating a report nobody reads

If your current audit feels like a box‑ticking exercise, the issue is usually the scope and questions you ask, not the standard itself.

 

 

ISO 27001 internal audit scope and criteria: getting this right up front

Before you open a checklist, be clear on scope and criteria. Clause 9.2 expects you to define these, not let the auditor make it up on the fly.

For scope, think about:

  • Which parts of the ISMS you will cover this cycle (clauses 4 to 10 and Annex A controls)

  • Which locations, systems and business units are in scope

  • How this lines up with your Statement of Applicability and risk register

For audit criteria, you should always include:

  • ISO 27001:2022 requirements

  • Your own ISMS policies, procedures and standards

  • Any regulatory or customer requirements that matter, such as CPS 234, ASD Essential Eight targets or specific contract clauses

Write the scope and criteria down in the audit plan so nobody is surprised later.

A practical ISO 27001 internal audit checklist

You do not need a 20‑page audit script to be thorough. You do need a clear ISO 27001 internal audit checklist that covers the main areas of the standard and your risks.

As a simple structure:

  1. Context and leadership

    • Is the ISMS scope still accurate

    • Are information security objectives measurable and linked to risk

    • Has management reviewed the ISMS and acted on previous findings

  2. Risk management and treatment

    • Is there a current risk assessment and treatment plan

    • Do the Statement of Applicability justifications tie back to risks

    • Are residual risks reviewed and accepted by the right owners

  3. Support and operations

    • Are policies, procedures and training being followed in practice

    • Do change, access and supplier processes match what is documented

    • Are incident and weakness reports being logged and acted on

  4. Performance evaluation and improvement

    • Are security metrics and monitoring in place and reviewed

    • Have previous nonconformities and actions been closed

    • Is there evidence of continual improvement, not just fire‑fighting

  5. Annex A control samples

    • Sample organisational, people, physical and technology controls that matter most to your risk profile, such as access control, logging and monitoring, backup, secure development and phishing resilience.

You can expand or contract this checklist depending on your size, but keeping it structured avoids random “spot checks” that do not link back to ISO 27001.

 

 

If you are not sure whether your current audit approach will satisfy ISO 27001 and CPS 234 expectations, a one‑off internal audit or gap analysis by an external specialist can save a lot of pain later. Siege Cyber runs independent ISO 27001 internal audits and health checks for Australian organisations that want a clear, practical view of where they stand.

How to conduct an ISO 27001 internal audit that adds value

Most organisations technically meet the requirement to perform an ISO 27001 internal audit. Fewer get real insight from it. Here is a simple way to keep it useful.

1. Treat it as a mini project

Give the audit a plan, an owner and a timeline. A basic audit plan should cover:

  • Scope and criteria as discussed above

  • Which processes and controls you will sample

  • Who will be interviewed and what records you will review

  • How and when you will report back to management

This keeps the audit focused and avoids “audit fatigue” where people feel they are being asked the same questions across multiple frameworks.

2. Focus on risk and evidence (not just documents)

An ISO 27001 internal audit that adds value is risk‑based. Rather than only checking if a policy exists, ask:

  • What are the key information risks for this area

  • Which controls are meant to manage those risks

  • Is there evidence those controls are operating as intended

For example, if credential stuffing and phishing are major risks, check strong authentication, password policy in practice, and user behaviour around suspicious emails. Do not stop at reading the policy.

3. Use interviews and walk‑throughs

You learn more by watching someone use the process than by reading a document. For each area in scope, pick a couple of simple tests:

  • Ask a product manager to walk you through how a new feature goes from idea to production, and where security fits

  • Ask HR or People & Culture how they onboard and offboard staff and contractors

  • Ask IT to show you a sample of access changes, incident tickets or backup restores

This is where you see the gaps between how things are meant to work and how they actually work day to day.

 

 

4. Record clear, useful findings

A good ISO 27001 internal audit report does not drown people in jargon. For each issue, aim to capture:

  • What you saw (evidence)

  • Why it matters (risk or requirement)

  • How serious it is (observation, minor or major nonconformity)

  • What you recommend as a next step

This makes it much easier for management to prioritise and for future audits to check whether actions were effective.

Where automation helps and where it doesn’t

If you are using platforms like Vanta or Drata to support ISO 27001, they can take a lot of manual effort out of evidence collection, task tracking and ISO 27001 internal audit checklists.

They do not replace the need for someone who understands:

  • How to interpret Clause 9.2 and Annex A for your business

  • Which CPS 234 and Essential Eight expectations should influence your audit scope

  • How to distinguish a paperwork issue from a real security risk

Siege Cyber partners with both Vanta and Drata, and we often see the best outcomes when clients combine automation with an experienced ISO 27001 consultant who can shape the audit and interpret the results.

When to bring in an external ISO 27001 internal auditor

You do not have to outsource ISO 27001 internal audits, but many Australian organisations choose to, especially where:

  • The ISMS owner is too close to the work to be truly independent

  • There is limited in‑house experience with ISO 27001:2022 and Annex A changes

  • The board or APRA‑regulated customers want additional assurance of objectivity

An external ISO 27001 internal audit can:

  • Benchmark you against peers and certification expectations

  • Stress‑test your ISMS before certification or surveillance audits

  • Give you a clear, prioritised action list rather than a vague checklist dump

Siege Cyber’s ISO 27001 services include internal audits, ISMS design and support, and preparation for certification, including for organisations using Vanta or Drata. For many clients we also align the work with other frameworks such as SOC 2 and ASD Essential Eight so you are not running separate audit cycles.

 

 

Turning your next ISO 27001 internal audit into a real health check

If your last internal audit felt like a tick‑box exercise, your next one is a chance to reset. Define a clear ISO 27001 internal audit scope and criteria, use a simple but structured checklist, and keep the focus on risk and effectiveness rather than just documents. Over time, this approach gives you better conversations with management, stronger evidence for regulators and customers, and fewer surprises at certification time.

If you would like help planning or running an ISO 27001 internal audit that adds value, Siege Cyber can help. Visit siegecyber.com.au or head straight to our ISO 27001 services page and pricing to book a discussion. We are based in Brisbane and work with organisations across Australia that want their audits to support real security outcomes, not just certification.