top of page

How to Audit a Company against ISO 27001?

Internal audits and pre-audit gap analysis are the most important parts of ISO 27001 compliance, so it’s vital that you know what to do and from where to start.

Good news, this article explains the main steps you need to follow to guarantee that your internal audit is unbiased and successful.

There are 5 essential phases:

  • Define Scope

Make sure that the audit’s scope matches the scope of the ISMS being certified.

If the company is big and the audit should cover more than one location, you may need to check how the ISMS is implemented in each business location.

In addition, you must identify and contact the main stakeholders in the ISMS to request any documentation or evidence during the audit process.

  • Plan the audit schedule and meetings

Audit planning structured the audit phases so they address all the clauses of the ISO 27001 standard.

Review ISO 27001 requirements and align them with the company's structure and processes. Based on that deck set the meetings with responsible officers.

  • Interview and gap analysis

Audit interviews and tests must be performed to validate the effectiveness of the company's ISMS.

At first, the auditor should review policies, procedures, and instructions relating to ISO 27001 requirements.

The next step includes a review of live evidence (reports, systems, dashboards).

  • Develop a report

The audit report should include a detailed description of the ISMS state and prove that it is efficient against the ISO 27001 requirements. In case it is not, non-conformities should be carefully registered.

  • Assign responsible officers to remediate non-conformities

Present the report to the company management and guide them on what their following steps should be. Make sure they know that non-conformities should be remediated and responsible officers assigned to do that.


bottom of page