ISO 27001 Internal Audit: What Gets Reviewed, How Evidence Works, and What You Receive

Most organizations pursuing ISO 27001 know they need an internal audit before the external stage 2. What they're less clear on is what that audit actually involves, how an auditor decides whether evidence is sufficient, and what a reasonable conclusion looks like when the ISMS is operating correctly.

This post walks through the ISO 27001 internal audit from the auditor's perspective: which clauses and controls are covered, how evidence is assessed on GRC platforms, and what the final report contains.

What the Audit Covers

An ISO 27001 internal audit covers two distinct layers: the management system requirements in Clauses 4 through 10, and the Annex A control set drawn from ISO 27002:2022.

The 2022 revision consolidated the Annex A control set to 93 controls across four categories (down from 114 controls across 14 domains in the 2013 version, with 11 new controls added):

• A.5 Organizational controls (37 controls): Policies, roles and responsibilities, threat intelligence, project security, asset management, access control, supplier relationships, incident management, business continuity, and legal compliance
• A.6 People controls (8 controls): Screening, terms of employment, security awareness and training, disciplinary process, and remote working
• A.7 Physical controls (14 controls): Physical perimeter, entry controls, secure working areas, and equipment security
• A.8 Technological controls (34 controls): User endpoint devices, access rights, authentication, vulnerability management, cryptography, logging, secure development, and change management

For a full breakdown of what changed between the 2013 and 2022 versions, Schellman's comparison guide (Schellman is an accredited ISO 27001 certification body) is a clean reference.

Not every control applies to every organization. A fully remote company with all data in cloud environments will correctly mark most physical controls in A.7 as not applicable, with justification documented in the Statement of Applicability. This is not a gap; it is the standard operating as designed.

How Evidence Is Assessed

ISO 27001 internal audits are sample-based. The auditor does not verify every access review record, every training completion, or every change ticket. A representative sample is drawn from each control and assessed against the policy requirements.

For most controls, two to three samples of operational evidence support a compliant conclusion. The external certification auditor may request additional samples, but the internal audit establishes the baseline and surfaces gaps before they become formal findings at the external stage.

Evidence is typically held in a GRC platform such as Vanta, Drata, or Secureframe. These platforms integrate directly with cloud infrastructure, running automated tests against AWS, GitHub, Okta, and similar services. For technical controls, the platform can confirm that MFA is enforced, that encryption is active, and that vulnerability scans are current, without requiring manual screenshots for each check.

Policy-based controls require more careful review. Ownership, approval, version currency, and the match between what a policy describes and what the operational evidence shows are where most gaps surface.

The Audit Timeline

The duration of an ISO 27001 audit, internal or external, is not fixed by the standard itself. It scales with the size and complexity of the organization's scope, governed by ISO/IEC 27006 (requirements for certification bodies) and the IAF MD 5 mandatory document for audit time calculation. An organization with fewer than 10 employees in scope may have a stage 2 certification audit of two to three days. A 500-person organization with multiple sites can run to ten or more audit days.

For internal audits, the standard (Clause 9.2) requires only that they be conducted at planned intervals against defined criteria. There is no mandatory day-count. What matters is that the audit covers the defined scope, uses a repeatable process, and produces a documented result defensible to the external certification auditor reviewing it at stage 1.

The Structure of the Audit Process

A complete internal audit follows a consistent structure regardless of organization size or GRC platform:

• Opening meeting: The auditor confirms the scope, the evidence sources, and the approach with the audit sponsor and ISMS owners.
• Fieldwork: The auditor works through each clause and control systematically, reviewing policy documents, configuration evidence, operational records, and GRC platform automated test results.
• Closing meeting: The auditor presents observations before the report is issued, giving the organization an opportunity to confirm factual details and flag any items that need clarification.
• Report issuance: The full written report is delivered, typically within one to two business days of the closing meeting.

What the Report Contains

A complete ISO 27001 internal audit report documents:

1. Executive summary: Overall conclusion, audit scope, number of observations, and any nonconformities
2. Audit scope and objectives: Standard audited, dates, auditor, and procedures followed
3. Control-by-control assessment: For each Annex A control, the conclusion (Compliant, Not Applicable, or finding), the evidence reviewed, and the specific control reference from ISO 27002
4. Clause 4 through 10 assessment: How each management system requirement is met, with evidence citations
5. Summary of findings: Total observation count, nonconformity count, and any formal opportunities for improvement
6. Appendix of open items: Document hygiene issues, version inconsistencies, and confirmation items requiring client action before the external audit

A clean internal audit report, one with no major or minor nonconformities, does not mean the ISMS is perfect. It means the controls are designed, operating, and evidenced at a level that satisfies the standard. Administrative and document hygiene items are surfaced as open items for client validation rather than formal findings.

Compliant, Not Applicable, and Finding

Every control in the assessment lands in one of three categories:

What Happens After the Report

The internal audit report is the starting point for external certification preparation, not the end of the process. Common follow-on actions after receiving a clean internal audit report:

• Close open items in the appendix before the external audit window opens
• Update evidence in the GRC platform where version inconsistencies were noted
• Confirm that management review minutes and the internal audit programme calendar are indexed in the platform
• Verify that any risk treatment items documented as incomplete either have a resolved status or a formally revised target date

For organizations on a GRC platform, most of these items can be resolved without external support. The internal audit report functions as a prioritized pre-certification checklist.

For more on the controls themselves, the ISO 27001 readiness scorecard maps the 93 Annex A controls to the most common gaps we see in the field, broken down by category.

Further Reading

• Five ISO 27001 Findings That Come Up Before Every External Certification
• ISO 27001 Certification Cost: What to Expect
• ISO 27001 Compliance Software: Vanta, Drata, and Secureframe Compared
• What an Effective Security Program Looks Like Before a Compliance Audit

Frequently Asked Questions

How long does an ISO 27001 internal audit take?

There is no fixed duration in the ISO 27001 standard itself. External audit durations are governed by ISO/IEC 27006 and IAF MD 5, which scale audit days based on organization size and scope. A small organization may have a stage 2 audit of two to three days; a larger one can require ten or more. Internal audits have no mandated day-count under Clause 9.2. What matters is that the audit covers the defined scope and produces a documented result. Evidence gathering and GRC platform review precede the formal audit window and are not counted in the audit dates on the report.

Does the internal auditor have to be external to the organization?

ISO 27001 requires that auditors be objective and impartial, but does not require external status. The key constraint is that auditors cannot audit their own work. For smaller organizations where maintaining internal independence is difficult, using an external consultant satisfies the objectivity requirement and typically produces a report that the external certification auditor will give more weight to.

How many Annex A controls are in ISO 27001:2022?

ISO 27001:2022 references 93 controls across four categories: 37 organizational controls (A.5), 8 people controls (A.6), 14 physical controls (A.7), and 34 technological controls (A.8). This is a reduction from the 114 controls in the 2013 version. Eleven new controls were added covering cloud security, threat intelligence, data masking, web filtering, configuration management, and secure coding, while the remainder were consolidated.

What is the difference between a major and minor nonconformity?

A major nonconformity means a management system requirement is not being met or a control is absent or completely ineffective. Major nonconformities must be resolved before certification can be issued. A minor nonconformity is an isolated or partial failure that does not represent a systemic breakdown. Minor nonconformities carry a correction deadline and must be resolved before the next surveillance audit cycle.

Can we use Vanta evidence for an ISO 27001 internal audit?

Yes. GRC platforms like Vanta integrate directly with cloud infrastructure and SaaS tools, running automated compliance tests that produce audit-ready evidence. For technical controls, the platform evidence is sufficient. For policy-based controls, the auditor reviews documents and uploaded screenshots alongside the automated test results. The internal audit report cites the platform as the evidence source, which the external certification auditor accepts.