.svg)
One of the practical questions that comes up at the internal audit stage is whether to run it internally or bring in outside help. The standard allows both. The real question is which approach produces a more useful result.
This post lays out the decision, what the independence requirement actually means, and what to expect from an external consulting engagement.
Before you decide, see where your ISMS stands
The ISO 27001 Readiness Scorecard gives you a structured gap view across the main certification areas in about ten minutes.
What the Standard Requires
ISO 27001:2022 Clause 9.2 requires that internal audits be planned, conducted, and documented. It requires auditors to be competent and impartial. It does not require external consultants. Many organizations conduct internal audits with internal staff.
The practical challenge is impartiality. An auditor cannot audit their own work. In most small to mid-sized organizations, the people who understand the ISMS well enough to audit it effectively are the same people who designed and operate the controls. That creates a structural impartiality problem, and in some cases, a bandwidth problem as well.
Why Internal Audits Run Internally Often Come Up Short
The bias problem. Internal staff develop familiarity with the controls they have built and maintained. Familiarity is not dishonesty; it is just how human cognition works. When you have reviewed the same vendor assessment template for two years, it stops registering as a potential gap. When you approved the policy yourself, you read it with an expectation of what it says rather than what it actually says.
An external auditor has no prior knowledge of the organization. They assess what is documented, what evidence exists, and what the controls actually do, not what they were designed to do or what everyone believes they do. That difference in starting point produces different findings.
The core problem with self-auditing
Familiarity is useful for operations and a liability for auditing. A control that has been in place for two years, approved by the same person who designed it, becomes invisible in a way an outside reviewer never experiences. The outside perspective is the mechanism by which the internal audit actually prepares you for certification.
The bandwidth problem. Internal audits done properly take significant time. Evidence collection across all in-scope controls, interviews with process owners, gap analysis, and a written report are not tasks that can be folded into existing work without trade-offs. The staff who are best positioned to run the audit are often the staff whose absence from regular work is most costly.
The auditor experience gap. Knowing the standard is different from knowing how certification auditors apply it. External consultants who specialize in ISO 27001 have direct experience with certification audits. They understand how findings are classified, which nonconformities certification bodies escalate, and what kind of evidence holds up under scrutiny. That experience is not transferable through training alone.
Security depth. Compliance-focused practitioners understand how controls are documented. Security practitioners understand whether the controls are actually working. The difference shows up in gap analysis: a compliance lens finds missing documentation; a security lens finds controls that are documented correctly but operationally ineffective. A team that has both skill sets identifies more of what needs to be fixed before the certification auditor arrives.
When Outsourcing Makes Sense
The decision to outsource is straightforward in some situations and more nuanced in others.
| Outsource when | Internal audits work when |
| The team that built the ISMS is the only team with sufficient knowledge to audit it | The organization is large enough to have staff genuinely independent of the controls being audited |
| No internal staff have ISO 27001 audit experience | Internal staff have formal audit training and experience with prior audits |
| The certification timeline is fixed and internal capacity is tight | The ISMS is well-established and this is a periodic recertification check |
| A previous internal audit produced no findings and the team is uncertain whether that reflects real maturity | The organization has conducted multiple prior audits with documented corrective actions |
Most organizations pursuing initial ISO 27001 certification find themselves in the left column.
What a Consulting Engagement Includes
Audit planning
Review of the Statement of Applicability, risk treatment plan, and prior audit history to scope fieldwork and identify the highest-risk areas.
Evidence review
Assessment of documentation and records against each in-scope clause and Annex A control. For GRC platforms such as Vanta, Drata, or Secureframe, automated test results serve as automated evidence. Controls without automation require manual evidence review.
Interviews
Verification that procedures are actually followed by the people responsible for them. Required under Clause 9.2 and not substitutable with document review alone.
Findings classification and written report
A formal document meeting Clause 9.2 requirements, with findings classified as major nonconformities, minor nonconformities, or observations. This is not a slide deck or summary email.
Remediation guidance
Prioritized recommendations sequenced by risk and by what certification auditors are most likely to focus on.
Related: the internal audit process in full and what to look for when choosing an internal auditor.
Common Mistakes When Auditing Internally
The most costly mistake
An internal audit report that records only positive conclusions is not evidence that the ISMS is functioning. It is evidence that the audit was not rigorous. Certification bodies expect the internal audit to have found something. A clean report from an initial certification candidate often raises questions rather than building confidence.
Auditing your own controls. The impartiality requirement is not a formality. An auditor who helped design the access control policy cannot give an objective assessment of whether it meets the standard's requirements. This mistake produces audit reports that look complete and miss the findings that matter.
Treating the audit as documentation review only. Evidence review is one part of the audit. Clause 9.2 also requires verification that procedures are implemented and effective. Skipping interviews leaves out the operational reality of the ISMS.
Running the audit too close to certification. Nonconformities require corrective action and evidence that the corrective action was effective. That takes time. An internal audit completed two weeks before the Stage 2 audit does not leave enough time to close findings properly. The target is six to eight weeks before certification.
What to Ask Before Engaging a Firm
- Does the team include people with hands-on security backgrounds, not only compliance process knowledge?
- How do they distinguish between findings that will block certification and those that will not?
- Who specifically will conduct the fieldwork, and what is their audit experience?
- Have they worked with the certification bodies operating in your region?
- What does the audit report look like, and what does it contain?
The goal is to understand whether the engagement produces a report you can act on, not just one you can file. Also see: what ISO 27001 internal audit consulting in Canada actually looks like.
Outsource Your ISO 27001 Internal Audit
We assess your ISMS as part of building an effective security program, with findings that prepare you for certification, not just documentation that checks the box.
Frequently Asked Questions
Is outsourcing the ISO 27001 internal audit allowed under the standard?
Yes. ISO 27001 Clause 9.2 requires that internal audits be conducted by competent and impartial auditors. It does not require that those auditors be internal employees. External consultants are a common and fully compliant approach, particularly for organizations where internal impartiality is difficult to establish.
How much does it cost to outsource an ISO 27001 internal audit in Canada?
Engagement cost depends on organizational size, ISMS scope, and the number of applicable controls. For small to mid-sized organizations, engagements typically involve two to four weeks of consulting time. The most useful starting point is a scoping conversation where the consultant reviews the Statement of Applicability before estimating effort.
Can we use the same firm for internal audit consulting and ISO 27001 implementation?
Yes, as long as the auditors conducting the internal audit are independent of the specific controls they are auditing. Many firms separate implementation and audit functions within the same engagement. Ask how the firm maintains that independence operationally.
What is the difference between an internal audit and a readiness assessment?
A readiness assessment is an informal review of where the organization stands against the standard. An internal audit is a formal process with defined scope, documented evidence, classified findings, and a written report that meets Clause 9.2 requirements. Certification bodies expect to see the formal audit report in the evidence package, not a readiness summary.
How long does an outsourced internal audit take?
Two to four weeks for most small to mid-sized organizations, from planning through final report. The timeline depends on organizational complexity and how quickly process owners can make themselves available for interviews. Engagements for larger organizations with multiple sites or complex supply chains may take longer.
When should we start the internal audit relative to our certification date?
Six to eight weeks before the Stage 2 certification audit is a reasonable target. This leaves time to receive the audit report, prioritize findings, implement corrective action, and produce evidence of remediation before the certification auditor reviews the evidence package. Closer than four weeks is high risk.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
How Ready Are You for SOC 2?
Score your security program in under 5 minutes. Free.
Take the Scorecard