Workstreet now supports ISO 42001 compliance → Learn more
July 7, 2024

Best Practices for ISO 27001 Internal Audit

With a focus on startups, we cover conducting an internal audit for ISO 27001 compliance, discussing the requirements, the challenges faced by startups, and how to streamline the process using a platform like Vanta.
Written by:
Travis Good
Header image

The following bullets are the TLDR version of this post on ISO 27001 internal audits with a focus on startups.

  • ISO 27001 requires internal audits for compliance, while SOC 2 does not explicitly require them.
  • Internal audits in ISO 27001 evaluate ISMS conformity, risk management processes, and control effectiveness.
  • Startups may struggle with internal audits due to limited resources, expertise, and competing priorities.
  • A well-planned internal audit includes defining scope and objectives, selecting competent auditors, and communicating with stakeholders.
  • Vanta can streamline the internal audit process for startups by automating evidence collection and providing a centralized dashboard.
  • Hiring a consultant or contractor is a common approach for startups to address ISO 27001's internal audit requirement.
  • A diverse internal audit team with technical skills, compliance experience, people skills, autonomy, and project management abilities is essential.
  • Workstreet can serve as an efficient internal auditor for startups, especially those using Vanta, offering special pricing and discounts.

Internal Audit is required by ISO 27001 but not SOC 2. As such, many companies have Internal Audit as a gap when they try to expand from SOC 2 to ISO 27001.

In this guide, we will walk you through the process of conducting an internal audit for ISO 27001 compliance, discussing the requirements, the challenges faced by startups, and how to streamline the process using a platform like Vanta. By following these steps, you will be better prepared to evaluate your organization's information security management system and ensure its effectiveness in protecting sensitive data.

What does ISO 27001 require for Internal Audit

ISO 27001 requires companies to conduct internal audits at planned intervals to ensure that their information security management system (ISMS) is effectively implemented and maintained. The internal audit process should be systematic, independent, and documented, focusing on evaluating the conformity of the ISMS with the requirements of the standard. This includes assessing the risk management processes, evaluating the effectiveness of controls, and identifying areas for improvement.

Specifically, section 9.2 of ISO 27001 states:

  1. The organization shall conduct internal audits at planned intervals.
  2. The internal audit shall determine whether the ISMS conforms to the organization's own requirements and the requirements of ISO 27001.
  3. The internal audit shall evaluate the effectiveness of the ISMS.
  4. The internal audit shall be conducted by competent, impartial and autonomous auditors who are not involved in the area being audited.
  5. The organization shall retain documented information as evidence of the implementation of the audit program and the audit results.

For reference, Section 9.2.1 of ISO 27001 states:

The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to

1) the organization’s own requirements for its information security management system;

2) the requirements of this document;

b) is effectively implemented and maintained.

Section 9.2.2 of ISO 27001 states:

The organization shall plan, establish, implement and maintain an audit programme(s), including the

frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.

The organization shall:

a) define the audit criteria and scope for each audit;

b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

c) ensure that the results of the audits are reported to relevant management;

Does SOC 2 Require and Internal Audit?

While SOC 2 is not an ISO standard. SOC 2 does require organizations to establish and maintain effective internal controls over their information systems but does not explicitly call out internal audit as a required control. To comply with SOC 2, companies should still do assessments of the design and operating effectiveness of security controls. In this way,  SOC 2 is not as prescriptive about internal audit. Although the specific requirements for internal audits may vary between ISO 27001 and SOC 2, both standards emphasize the importance of a systematic and independent approach to evaluating the organization's information security management practices.

Why is it hard for startups to do an internal audit?

Startups often face challenges when conducting internal audits due to limited resources, lack of expertise, and competing priorities. As a growing company, allocating time and resources to establish a robust internal audit process can be difficult. Additionally, finding qualified and impartial auditors within the organization might be challenging, as employees may have multiple roles and responsibilities, leading to potential conflicts of interest.

Planning and Preparing for an Internal Audit

As you can see below, doing an internal audit requires time and resources.

Step 1: Establish the Audit Scope and Objectives

Begin by defining the scope of the audit, which includes identifying the areas, processes, or departments to be audited. Determine the objectives of the audit, such as assessing compliance with ISO 27001 requirements, evaluating control effectiveness, or identifying improvement opportunities. This often starts with drafting an internal audit policy and associated procedures.

Step 2: Develop an Audit Plan

Create a detailed audit plan that outlines the audit's timeline, resources required, and key milestones. The plan should also include information on risk assessments and methodologies to be used during the audit.

Step 3: Select Competent Auditors

Choose auditors who have relevant experience in information security management systems and are independent from the area being audited. This ensures objectivity and impartiality during the process. See more below on this 👇.

Step 4: Communicate with Stakeholders

Inform relevant stakeholders about the upcoming internal audit to ensure their cooperation and support. Provide them with necessary details such as audit scope, objectives, schedule, and expectations.

Step 5: Review Relevant Documentation

Prior to conducting the internal audit, review key documentation related to your organization's ISMS. This may include policies, procedures, risk assessments, previous audit reports, and other relevant records. Familiarize yourself with these documents to gain a deeper understanding of your organization's information security landscape.

Step 6: Prepare Audit Checklists

Develop checklists based on ISO 27001 requirements that will help guide you through each phase of the internal audit process. These tools should cover all aspects of your organization's ISMS in accordance with its specific needs.

Step 7: Present Findings to Management

One requirement of ISO for Internal Audit is that the results of the internal audit be reported to management. Ideally, this is done with a combination as well as written report.

By following these steps for planning and preparing for an internal audit, you can better ensure a thorough evaluation of your organization's ISMS while maintaining compliance with ISO 27001 requirements.

Streamline an Internal Audit with Vanta

Vanta can help with most of the above steps. Vanta is a platform that simplifies the internal audit process for startups by automating the collection and verification of evidence, streamlining communication between auditors and the organization, and providing a centralized dashboard for tracking progress. By leveraging Vanta's technology, startups can save time, reduce the risk of errors, and ensure a more efficient internal audit. If you're a Vanta customer looking for an internal audit, reach out and we'll tell you how easy we make it.

How much should an Internal Audit cost?

The cost of an internal audit can vary greatly depending on factors such as the size and complexity of your company, the scope of the audit, and the expertise of the auditors. One FTE for a small startup is often not feasible but, given the ISO internal audit requirements for autonomy, it is hard to do an internal audit with existing resources. However, this effort can be significantly higher for larger organizations or those with more complex information security management systems.

Many companies, especially startups, opt to hire a consultant or contractor to do their Internal Audit. This is a smart approach to address this requirement. If you're interested, we offer Internal Audit services  at Workstreet.

The Importance of a Diverse Internal Audit Team

By assembling a team with a broad range of expertise, organizations can better identify potential gaps, risks, and areas for improvement in their information security management system (ISMS).

One additional team requirement in ISO is that the internal audit team, or person, cannot be a team or person that setup or manages the ISMS. This usually means that companies need to hire a dedicated person or people to run their Internal Audit function.

Key Attributes for Internal Audit

  1. Technical Skills: Internal auditors need to have an understanding of modern technology to understand how this technologies can comply with regulatory and reporting controls as in ISO 27001.
  2. Compliance Experience: Internal auditors should have experience with compliance and the translation of controls to rules to technology and vice versa.
  3. People Skills: Part of an internal audit is working with relevant stakeholders to collect the infomation required.
  4. Autonomy: Internal auditors need to be resources that are not actively engaged with the ISMS.
  5. Project Management: Good internal auditors are good project managers. Without this skill, it's easy for an internal audit to drag out and drain company resources.

Workstreet as your Internal Auditor

You're a startup. You need to comply with ISO 27001. And you do not have the resources or time to hire a full time person responsible for Internal Audit.

If that 👆 is you, then Workstreet is a good fit to be your internal auditor. We have experience and are super efficient. We can manage your internal audit from start to finish and ensure you align with the controls in ISO 27001.

  • Draft or edit your policies for internal audit.
  • Define audit scope.
  • Conduct a complete internal audit for you (we know cloud and SaaS).
  • Collaborate with internal resources to mitigate risks and address gaps.
  • Draft and present report to management.
  • Work with external auditors on ISO 27001.

Better yet, if you're a startup that uses Vanta, Workstreet can get your internal audit done quickly and inexpensively - we have special pricing for Vanta customers! We also offer discounts based on multi-year pricing (an internal audit should be done annually). Reach out today to learn more.