My First Internal Audit: A Guide to ISMS Compliance

Contents

You’ve decided it’s time to get serious about information security. Whether you’re a small business owner, a scrappy startup founder or part of a tiny team wearing many hats, you know that running an Information Security Management System (ISMS) is the key to keeping your customers and data safe. You’ve heard about ISO 27001, you’ve scoped out your assets, and you’re gearing up to engage a certification body. But then you’re told you need an internal audit. Panic sets in: “What on earth is an internal audit for an ISMS? How do we even do one? And what on earth will auditors want to see?”

Relax. You’re perfectly normal for feeling a bit overwhelmed. Internal audits aren’t arcane rituals performed by cloaked auditors in windowless rooms. They’re simply your chance to confirm your ISMS is working as you intended, find any gaps you missed and demonstrate to your external auditor that you’re ready for certification. Think of it as a friendly rehearsal rather than a pass/fail test.

This post will walk you through what an internal audit really means, how to plan and perform one, and what evidence you’ll want to have on hand when the certification auditor knocks on your door. By the end, you’ll feel confident that you know what to do and can even turn the internal audit into an opportunity to strengthen your information security culture. Let’s dive in.

What Is an Internal Audit, Anyway?

In everyday business language, an audit can sound intimidating—an external assessment with box-ticking and finger-wagging. An internal audit, by contrast, is your own organisation’s chance to check that your ISMS processes match the policies and procedures you wrote.

A perfectly healthy ISMS is one you review regularly, improve constantly and can prove you maintain. ISO 27001 requires that you schedule internal audits at planned intervals. These audits have three main purposes:

  1. Verification: Confirm that the processes you documented are actually in practice. If your policy says you encrypt customer data and you can’t find encryption logs, that’s a gap.
  2. Improvement: Find nonconformities and opportunities to do things better. Perhaps your incident response plan is outdated, or your asset register is missing some critical systems.
  3. Readiness: Build confidence ahead of the certification audit. When you identify and correct issues in your own time, you avoid last-minute surprises.

Instead of a box-ticking exercise, think of your internal audit as a storytelling tool. You’re crafting the narrative of how your business protects information, and your audit is the proof you’ve delivered on every promise.

Planning Your Internal Audit

You wouldn’t start a road trip without a map. Similarly, a solid internal audit begins with a clear plan. Here’s how to approach it without getting lost:

Clarify the Scope and Criteria

Your ISMS scope defines what parts of the organisation are in play. It might be your head office, your entire business, or a subset of services you provide. Keep it manageable, especially for your first cycle.

Next, your audit criteria are the benchmarks you’re checking against—typically your own policies, procedures and the ISO 27001 standard itself. Make a simple cross-reference: section by section, match your documented processes to ISO clauses.

Select Your Auditors

Internal audits don’t need to be carried out by certified anoraks (though it helps if someone knows a bit about ISO 27001 terminology). Aim for independence—someone who isn’t directly responsible for the processes they’re auditing. In a small team, that might mean swapping roles for the day: your operations lead audits IT security controls, while your security person checks physical access controls.

If your team is tiny, consider engaging an external consultant just for the audit function. Yes, it costs a bit extra, but impartial eyes often spot gaps you’re too close to see.

Develop an Audit Programme

Rather than one monolithic audit, ISO 27001 encourages you to stagger internal audits through the year. You could do a full cycle all at once or split audits by domain (access control, asset management, incident response, and so on). Map out dates and responsible auditors. Having a visible schedule keeps everyone prepared—and avoids those frantic “Did anyone test backups?” phone calls.

Prepare the Audit Checklist (Your Friendly Companion)

A checklist helps you ensure nothing slips through the cracks. It doesn’t have to be exhaustive; aim for a concise worksheet that prompts you to:

  • Identify the process or control being audited
  • Reference the relevant policy, procedure or ISO clause
  • Note observations and evidence reviewed

Rather than printing a hundred pages, keep a spreadsheet or an online form. The point is to blend structure with flexibility so you can tailor questions to your environment.

Conducting the Internal Audit

Audit day arrives, but you’re no rookie—you’ve prepared. Here’s how to make the most of the session.

Introduce the Audit with Transparency

Begin each audit by briefly explaining the objectives, scope and criteria to those being audited. Reassure them that this isn’t about blame; it’s a collaborative check-in to improve how you protect information.

Gather Evidence With Purpose

Evidence can take many forms: configuration screenshots, access logs, vendor invoices, interview notes, training attendance records—anything that shows you followed your procedure. As you review each control, capture examples.

For instance, if you’re auditing patch management, you might:

  • Pull the last three months of patch reports from your management console
  • Ask your sysadmin to explain their weekly patch workflow
  • Spot check a couple of critical servers to confirm patches are applied

This mix of objective data and personal insight builds a robust picture of how controls operate day to day.

Record Findings Clearly

When you uncover a gap—say, a missing data classification policy—don’t panic. Slowly describe the gap in your notes. Label it as:

  • Nonconformity: A requirement you haven’t met (for instance, you haven’t implemented your own access review schedule)
  • Observation: Something not strictly nonconformant but worthy of improvement (your backup frequency is on the lower side of best practice)

For each finding, jot down the evidence you saw and, if possible, an immediate corrective action. This makes the next section much easier.

Reporting and Follow-Up

An audit without follow-up is like baking a cake without eating it—all effort, no reward. Turn your findings into actions.

Draft the Audit Report

Your audit report should tell a story:

  1. Scope and objectives: Remind readers what you audited and why
  2. Summary of findings: Highlight key nonconformities and observations
  3. Detailed results: Provide evidence, relevance to policy or ISO requirements, and suggested corrective actions
  4. Conclusion: State an overall opinion on the health of your ISMS

Ensure your report is concise and jargon-free. Your executive team or certification auditor should understand at a glance where you stand.

Plan Corrective Actions

For each nonconformity, assign a responsible person, a timeline and a clear outcome. For instance, “By 30 June, update the data classification policy and deliver training to all staff on classification labels.” Tracking these tasks in your project management tool (even if it’s a simple ticket in Jira or Trello) ensures accountability.

Verify the Fixes

Once corrective tasks are complete, do a mini follow-up audit. Confirm the policy exists, training records are current and logs show the new classification process in action. Audit trails of your own follow-up demonstrate due diligence to an external auditor.

What the Certification Auditor Wants to See

Your external audit is next. They’ll want proof that you have a functioning, maintained ISMS. By now, you’ve already ironed out most wrinkles. Here’s what to have ready:

  • Internal Audit Schedule and Reports: Your audit programme, evidence of audits conducted and reports showing findings and corrective actions.
  • Management Review Records: Minutes from your management review meetings where leadership assessed performance, reviewed risks and approved improvements.
  • Statement of Applicability (SoA): The document mapping ISO controls to your implementation status, including justifications for exclusions.
  • Risk Assessment and Treatment Plan: Your process for identifying, evaluating and treating risks. Auditors will look for recent risk registers, treatment records and evidence controls are effective.
  • Policies and Procedures: All the documents you’ve promised to follow—asset register, access control policy, incident response plan, business continuity procedures, and so on.
  • Training and Awareness Records: Evidence you’ve communicated security roles and responsibilities to staff, such as email newsletters, training completion certificates or attendance logs.
  • Technical Evidence: Logs, reports and screenshots showing controls in action (firewall rules, patch reports, vulnerability scan results).

Think of the certification auditor as a curious investigator rather than a strict judge. They’re gathering evidence to confirm your story, not hunting for traps. If you can hand over clear records and answer their questions honestly, you’re in great shape.

Turning an Audit Into a Business Strength

One of the best-kept secrets of ISO 27001 is that the internal audit isn’t just compliance theatre. When done well, it:

  • Boosts confidence across your team by showing progress
  • Encourages continuous improvement as you spot trends in nonconformities
  • Engages leadership through regular management review cycles
  • Reduces surprises at the external audit by resolving issues early

Be transparent about what you find and celebrate what you fix. Your staff will appreciate seeing tangible improvements and will start thinking proactively about information security.

Wrapping Up: Your Next Steps

By now, you should feel equipped to plan, execute and leverage your first internal audit. Here’s a quick recap of what to do next:

  1. Define your audit scope, criteria and schedule for the year.
  2. Assign auditors (internal or external) who can assess processes impartially.
  3. Prepare a simple checklist that cross-references your policies and ISO requirements.
  4. Conduct audits with transparency, gathering evidence and recording findings.
  5. Report your results clearly and assign corrective actions.
  6. Verify fixes with a follow-up audit.
  7. Compile your evidence for the certification auditor: internal audit reports, management review minutes, policy documents, technical logs and SoA.

Remember, every organisation starts somewhere. Your first internal audit might feel awkward, but it’s also an exciting opportunity to build a stronger, more resilient ISMS. If you’d like some guidance or want a friendly vCISO to support your first audit, drop us a line. We’re passionate about helping small businesses and startups like yours turn security requirements into real business advantage.

Ready to get started? Contact Securitribe today and let’s make your first internal audit a breeze.

Share This Post

Contents

More Insights

Subscribe To Our Newsletter

Get your Free Security Health Check

Take our free SMB1001 gap assessment to identify security gaps, understand your compliance status, and to get started with our Sheep Dog SMB1001 Gold-in-a-Box!

close menu icon

How does your Security Check up?

Take our free cybersecurity gap assessment to understand if your business is doing enough!