Internal audit checks whether the ISMS conforms to ISO/IEC 27001 requirements, the organization’s own requirements, and whether it is effectively implemented and maintained.
Important point
Internal audit is mandatory for ISO/IEC 27001 conformity. Third-party certification may be optional depending on the organization’s business case, but internal audit cannot be skipped.
Audit evidence
Internal audits typically review:
- policies and procedures;
- risk assessment and treatment records;
- Statement of Applicability;
- control operation evidence;
- interviews;
- sampled transactions;
- management review outputs;
- corrective actions.
Related notes
- Internal audit
- Iso27001
- Isms
Note Metadata
Aliases: ISMS Internal Audit
Source: 01 Fundamentals/Internal Audit.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Field of Application, Usage, and Compliance
- Information Security Management System
- Information Security Policy
- Management Responsibilities
- Segregation of Duties
- Statement of Applicability
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.32 - Intellectual Property Rights
- ISO 27001 A.5.33 - Protection of Records
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.5.35 - Independent Review of Information Security
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- ISO 27001 A.5.37 - Documented Operating Procedures
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.7 - Threat Intelligence
- ISO 27001 A.5.8 - Information Security in Project Management
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- A.6 People Controls MOC
- A.7 Physical Controls MOC
- A.5.5 Audit Evidence Pack
- Audit Evidence MOC
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.34 - Protection of Information Systems During Audit Testing
- A.8 Technological Controls MOC
- ISMS Implementation Roadmap
- Internal Audit Execution Guide
- ISO 27001 Auditor Guide
- ISO 27005 Risk Process Notes
- EXAM-006 - Implementation vs Audit Evidence
- EXAM-041 - Change Test Information and Audit Testing
- ISO 27001 Knowledge Base
- Audit Testing Plan and Authorization Record
- Authority Contact Register
- Template - Corrective Action Tracker
- Policy and Technical Compliance Review Register
- ISO 27001 Overview