What to Look for in an ISO 27001 Internal Auditor

When you are preparing for ISO 27001 certification, the internal audit is not a formality. It is the last structured opportunity to identify gaps before the certification body arrives. Who runs it determines how useful it is.

This post covers the criteria that separate a useful internal audit from one that generates a comfortable report and misses the findings the certification auditor finds six weeks later.

What the Standard Actually Requires

ISO 27001:2022 Clause 9.2 requires that internal audits be conducted by competent auditors who are objective and impartial. The standard does not define a specific certification or credential for internal auditors. It leaves competence to the organization to determine.

That flexibility is both practical and a source of real risk. Competence defined loosely produces audits that confirm what the team already believes. Competence defined well produces audits that find what needs to be fixed.

The Independence Requirement

Impartiality matters practically, not just technically. An auditor who helped design the controls cannot audit them without a conflict of interest. An auditor who reports to the person responsible for the ISMS has a structural incentive to underreport findings.

Internal staff can serve as internal auditors when they are genuinely independent of the areas they audit. In practice, for most small to mid-sized organizations, that independence is difficult to maintain. The people who understand the ISMS best are usually the ones who built and operate it.

What Actual Competence Looks Like

Familiarity with ISO 27001:2022. The 2022 revision restructured Annex A from 114 controls to 93, added 11 new controls, and changed how controls are categorized. An auditor working from the 2013 version will miss controls that are now required and flag things that were reorganized. Confirm that the auditor works from the current version.

Experience with certification audits. Knowing the standard is not the same as knowing how certification bodies apply it. An auditor who has been through multiple certification cycles, from both sides of the table, understands how findings are framed, which nonconformities certification bodies escalate, and what evidence actually holds up under scrutiny. That pattern recognition is not in any document. It comes from experience.

Security background. This distinction matters more than it appears in a CV. A practitioner with a compliance background reviews whether documentation exists and whether it matches the control description. A practitioner with a security background evaluates whether the control is actually doing what it claims to do. For technical controls, that difference is significant. Reviewing a vulnerability management policy is different from understanding whether the scanning cadence, scope, and remediation SLAs are realistic given the organization's infrastructure.

ISO 27001 covers organizational controls, people controls, physical controls, and technological controls. An auditor with only one lens applies it everywhere.

Breadth across a team. A single consultant brings one background. A team with different specializations, including people who have operated cloud infrastructure, managed vendor risk programs, run incident response, and built governance frameworks, covers the full control landscape without bottlenecks. The gap analysis is more complete, and the remediation guidance is more specific.

Red Flags

Reports that are all green. An internal audit that identifies no findings, or only minor observations, in an organization preparing for initial certification is almost always wrong. Initial certifications reveal gaps. An audit report that does not find them means either the ISMS is genuinely mature (rare for a first certification) or the auditor was not looking hard enough.

No interviews. Document review alone does not satisfy Clause 9.2. Internal audits require verifying that documented procedures are actually followed. That requires talking to process owners, system administrators, and management. An auditor who relies only on documents is leaving out half the audit.

No written report. The internal audit report is a required documented output under Clause 7.5. It must be complete, dated, and referenced in the evidence package. An engagement that ends with a verbal debrief or a slide deck does not produce the documentation artifact the standard requires.

A single fixed timeline. The scope of an ISO 27001 internal audit depends on organizational size and the number of applicable controls. An auditor who quotes a fixed one-day or two-day engagement before understanding the scope is not calibrating to the actual work. Audit duration is determined by scope, not a standard package.

No discussion of Annex A applicability. The Statement of Applicability determines which Annex A controls apply to your organization. An auditor who does not review the SoA before scoping the fieldwork does not understand what they are auditing.

Questions Worth Asking

Before engaging an auditor or consulting firm, these questions give you a useful signal:

The answers reveal whether the auditor is applying a template or actually thinking about your organization.

The Fresh Eyes Advantage

There is something that experience and credentials cannot fully capture: the value of someone seeing the organization for the first time.

Internal teams develop familiarity over time. Familiarity is useful for operations. It is a liability for auditing. A control that has been in place for two years, approved by the same person who designed it, reviewed by the same team that runs it, becomes invisible in a way that an outside reviewer never experiences. An external auditor sees the current state, not the intended state.

That outside perspective is not a soft benefit. It is the mechanism by which the internal audit actually prepares an organization for certification, rather than confirming what leadership already believed was true.

Related: the internal audit process in full, the five findings that come up before almost every certification, and how the policy-evidence gap undermines controls that are otherwise working.

Frequently Asked Questions

Does an ISO 27001 internal auditor need a specific certification?

The standard does not mandate a specific credential. Clause 9.2 requires competence and impartiality, defined by the organization. In practice, relevant indicators include experience with the 2022 revision, familiarity with certification body expectations, and a background in information security. A credential that demonstrates security depth, such as CISSP, alongside ISO 27001 audit experience, is a stronger signal than an audit certification alone.

Can we train an existing employee to run the internal audit?

Yes, in principle. The practical question is whether that person can be genuinely impartial toward the controls they help design or operate, and whether they have the capacity to conduct the audit properly alongside their regular responsibilities. For small teams, both constraints are real. External consultants are a common solution.

How many auditors should be on an internal audit team?

It depends on scope. A small organization with a limited ISMS might be well-served by two auditors. A larger organization with multiple sites, a complex supply chain, or significant technical infrastructure benefits from a team where different members cover governance, technical, and operational controls in parallel. The goal is coverage without gaps, not headcount.

What is a major nonconformity versus a minor nonconformity?

A major nonconformity is a failure that indicates the absence of a required element or a systematic breakdown in a required process. A minor nonconformity is an isolated or partial failure that does not indicate a systemic problem. The distinction matters because major nonconformities typically cannot be left open when the certification audit begins.

What should the internal audit report contain?

At minimum: audit objectives, scope, criteria, methods used, dates, auditors involved, findings classified by severity, and conclusions. The report becomes part of the evidence package reviewed by the certification body and must be retained as a documented record per Clause 7.5.

How do we know if an external auditor actually knows our industry?

Ask directly about their experience with organizations of similar size, sector, and regulatory environment. For Canadian organizations in regulated sectors such as financial services or defence supply chain, relevant questions include whether the auditor understands how sector-specific frameworks such as OSFI B-13 or CPCSC interact with ISO 27001 requirements. A consultant who can articulate those intersections is more likely to give relevant guidance.