ISO Internal Audit Guide

ISO 27001
Internal Audit Guide


At Secure Cloud Innovations we specialize in designing and implementing cutting-edge cybersecurity solutions for our clients. By leveraging our deep understanding of compliance models and security standards, we provide our clients with everything they need to meet regulatory requirements and protect their sensitive data across industries.

Our Services

  • ISO Internal Audits
  • vCISO
  • Compliance Certification Prep
  • Secure Architecture Design
  • Information System Hardening
  • DevSecOps
  • Risk Assessments
  • Security Training
  • Audit Readiness Consultations
  • Tabletop Exercises

Our price starts at $3000 and the typical turn-around is one week from the start of the engagement.

Compliance Frameworks


What Client’s Say About Us

What is the ISO/IEC 27000 family of standards?

The ISO/IEC 27000 standards are designed to allow a broad range of organizations to develop an effective and comprehensive information security management system (ISMS) capable of protecting the confidentiality, integrity, and availability of information. Each standard offers either guidance or requirements for the design and implementation of different areas of an organization’s ISMS. The series is developed, maintained, and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The primary standards for the ISO Internal Audit are as follows:

ISO/IEC 27000: Describes the overview of ISMS as well as terms and definitions used throughout the 27000 family of standards. It is a foundational document and as such, not only serves as a good starting point for readers, but also is referenced by all other ISO/IEC 27000 standards.

ISO/IEC 27001: Provides a high-level description of the ISO/IEC standards’ requirements for an organization’s ISMS. It is the central standard in the ISO/IEC 27000 series and is the standard against which an organization is audited.

ISE/IEC 27009: Provides sector-specific requirements for the controls specified in ISO 27001.
After ISO/IEC 27001, the standards offer general guidelines, 27002 – 27008, as well as sector specific guidelines, 27010 – 27019. There are a few notable exceptions, namely 27006 which specifies requirements for auditors.

Relationship Between ISO/IEC 27000 Family of Standards

Definitions Standards

ISO/IEC 27000

Information Security
systems – Overview
and vocabulary

Requirements Standards

ISO/IEC 27001

Information security
systems —

ISO/IEC 27006

Requirements for
bodies providing
audit and
certification of ISMS

ISO/IEC 27009

application of
ISO/IEC 27001 –

ISO/IEC 27021

requirements for
information security

Guideline Standards

ISO/IEC 27002

Code of practice for
InfoSec controls

ISO/IEC 27003

InfoSec management
systems — Guidance

ISO/IEC 27004

InfoSec management
– Monitoring,
analysis, and

ISO/IEC 27005

InfoSec risk

ISO/IEC 27007

Guidelines for ISMS

ISO/IEC 27008

Guidelines for the
assessment of InfoSec

ISO/IEC 27013

Guidance on the
implementation of
ISO/IEC 27001 and
ISO/IEC 20000-1

ISO/IEC 27014

Governance of
information security

ISO/IEC 27016

InfoSec management
– Organizational

Sector Specific Guideline Standards

ISO/IEC 27010

Information security
management for intersector
and interorganizational

ISO/IEC 27011

Code of practice for
InfoSec controls based
on ISO/IEC 27002 for

ISO/IEC 27017

Code of practice for
InfoSec controls based
on ISO/IEC 27002 for
cloud services

ISO/IEC 27018

Code of practice for
protection of
personally identifiable
information (PII) in
public clouds acting as
PII processors

ISO/IEC 27019

InfoSec controls for
the energy utility

ISO/IEC 27799

Health informatics –
InfoSec management
in health using ISO/IEC

Control Specific Guideline Standards

ISO/IEC 2703x

vISO/IEC 2704x

ISO/IEC 2705x

Information taken from

What is the ISO/IEC 27001 Internal Audit?

Organizations are required to perform internal audits as part of their ISO certification process. The internal audits must meet certain requirements laid out in ISO/IEC 27001 clause 9.2. The purpose of the internal audit is twofold:
  • Verify the organization’s ISMS is meeting the requirements laid out in their own ISMS documentation as well as the requirements of ISO 27001.
  • Verify the organization’s ISMS is being properly implemented and maintained.
(ISO/IEC 27001 -2013 Section 9.2a & 9.2b)

The primary standards for the ISO Internal Audit are as follows:

  • Plan, establish, and maintain an audit program. This should include written documentation regarding the frequency of audits, auditing methods, responsible parties, planning requirements, and reporting. The audit program should consider previous audit results and well as the importance of the processes being audited to the organization.
  • Clearly define the scope of the audit.
  • Clearly define the audit criteria.
  • Ensure the audit is performed in an impartial and objective manner.
  • Report all results and findings to the proper parties.
  • Have procedures for the retention of audit results as well as any documented information.
    (ISO/IEC 27001 -2013 Section 9.2c – 9.2g)