DEV Community

Daniel Glover
Daniel Glover

Posted on • Originally published at danieljamesglover.com

ISO 27001 Internal Audit Checklist for Small Teams

#iso27001 #cybersecurity #compliance

ISO 27001 internal audits often get treated like a mini certification audit.

That is usually where the pain starts.

Small teams already have enough on their plate. They are running BAU support, shipping changes, dealing with suppliers, handling incidents, and trying to keep governance work moving without turning the whole year into an evidence-gathering exercise. When internal audit is handled badly, it becomes a scramble for screenshots and policies nobody has read since the last review.

It does not need to work that way.

Clause 9.2 of ISO 27001 requires internal audits at planned intervals so you can assess whether the ISMS is operating effectively and whether it conforms to both the standard and your own internal requirements. That sounds formal, because it is. But in practice the job is simpler than many teams make it. You need an audit programme, clear scope, objective evidence, competent auditors, and proper follow-up on what you find.

The key point is this. An internal audit is not there to prove you are perfect. It is there to tell you whether your ISMS is real, current, and working.

For smaller organisations, that distinction matters. If your audit process is designed like a heavyweight corporate exercise, it will drift, people will avoid it, and the findings will be weak. If it is designed as a focused check on how the system actually operates, it becomes one of the most useful compliance tools you have.

What ISO 27001 Actually Expects

The standard does not demand a massive audit bureaucracy.

What it does expect is discipline.

Advisera's summary of clause 9.2 is a useful plain-English reminder. Internal audits need to happen at planned intervals, cover whether the ISMS conforms to ISO 27001 and your own policies, and produce evidence through document review, checklist-based testing, reporting, and follow-up. ISMS.online makes a similar point, emphasising scope, frequency, methods, responsibilities, reporting, and auditor objectivity. DataGuard also highlights something teams often miss: ISO 27001 does not dictate one universal cadence. You choose planned intervals based on your risk environment, scope, and organisational needs.

That gives small teams more flexibility than they often realise.

You do not need to audit every clause and every Annex A control in one exhausting week. You do need a credible programme that covers the full ISMS over time and gives leadership confidence that important areas are being checked properly.

The Biggest Mistake Small Teams Make

The most common mistake is treating internal audit as a document exercise.

The team gathers policies, checks version numbers, confirms that training exists, and writes "compliant" next to most headings. The problem is that none of this tells you whether the ISMS is actually being followed.

A policy that says access reviews happen quarterly is not evidence that access reviews happened.

A risk methodology document is not evidence that risks are being reviewed.

A supplier assurance process is not evidence that suppliers were actually assessed.

That is why a good audit has to test operation, not just existence. If you are auditing incident management, ask for the incident log, recent lessons learned, and evidence that actions were closed. If you are auditing supplier risk, compare the stated due diligence process with what happened on real procurements. I made a similar point in my vendor due diligence guide. A process is only useful if it changes decisions in real life.

A Practical ISO 27001 Internal Audit Checklist

If I were running this in a small team, this is the checklist I would use.

1. Confirm the audit scope and objective

Be explicit about what you are auditing.

That might be the whole ISMS over a longer programme, or a focused review of a specific area such as access control, supplier assurance, incident management, asset management, or management review.

For each audit, define:

  • the scope
  • the audit criteria
  • the owner for the area being audited
  • the planned date
  • the auditor
  • the evidence sources you expect to review

If those basics are fuzzy, the audit usually turns into a wandering conversation rather than a useful test.

2. Check that the audit is independent enough

ISO 27001 does not require a huge separate internal audit department, but it does require objectivity.

That means people should not audit their own work where this would create a conflict of interest. In a small team, independence often means using a colleague from another function, rotating responsibilities, or bringing in external support for sensitive areas.

This is one of those places where small organisations need to be honest. You may not achieve perfect structural independence, but you still need a defensible approach that avoids self-approval.

3. Review the audit programme

Before looking at one area in detail, step back and ask whether the overall audit plan is credible.

Can you show:

  • a documented audit programme
  • planned intervals based on risk and importance
  • coverage of the whole ISMS over time
  • completed audits from prior periods
  • follow-up of previous nonconformities

If the programme only exists in someone's head, that is your first weakness.

4. Test whether policies match reality

Pick the policies and procedures relevant to the area under review, then compare them with live evidence.

Examples:

  • Access control policy versus actual access reviews and joiner-mover-leaver records
  • Incident process versus the last few incidents handled
  • Risk management process versus the current risk register and treatment actions
  • Supplier assurance process versus recent supplier onboarding decisions
  • Backup policy versus actual backup logs, restore tests, and recovery evidence

This is where most useful findings appear.

5. Verify that records are current, not historic theatre

A lot of teams can show you evidence. Fewer can show you current evidence.

Look for dates, cadence, ownership, and signs of live use. Ask simple questions:

  • Was this reviewed when it was supposed to be?
  • Is the owner still the right person?
  • Are actions open longer than expected?
  • Does this record reflect the current estate, supplier set, or risk picture?

If your asset register still lists systems that were retired six months ago, or your risk register reads like an audit artefact rather than a management tool, the ISMS is drifting.

The Areas Small Teams Should Prioritise

If resources are tight, I would prioritise audit attention on the areas that tend to break first.

Risk management

Your risks should be current, clearly owned, and tied to treatment actions. If you need a better structure for making them readable, my guide to IT risk registers executives use is a good companion.

Access control

Test whether access is approved, reviewed, and removed properly. This is one of the easiest areas to write well and run badly.

Incident management

Check whether incidents are logged consistently, whether lessons learned are captured, and whether corrective actions actually close.

Supplier assurance

Third-party controls are often one of the weakest practical areas in smaller ISMS environments because supplier onboarding moves faster than governance.

Backup and recovery

A backup status page is not enough. You want evidence of restore confidence. The same principle came up in my Proxmox backup and disaster recovery guide. Recovery evidence matters more than backup optimism.

Management review and improvement actions

If leadership never reviews the ISMS properly, the whole system becomes performative. Internal audit should test whether management review is happening with substance, not just as a calendar event.

What Good Audit Evidence Looks Like

Useful evidence is specific, recent, and traceable.

That can include:

  • approved policies and procedures
  • meeting minutes
  • risk register updates
  • completed training records
  • screenshots from operational systems
  • supplier review records
  • change records
  • incident tickets
  • access review outputs
  • action trackers with owners and dates

What you want is a chain from requirement to process to proof.

For example, if the policy says privileged access is reviewed quarterly, you should be able to see the review schedule, the review outputs, the approvals, and any remediation raised from that review.

If you cannot, the finding is not "documentation gap". The finding is that the control may not be operating.

How to Write Findings That People Will Actually Fix

Weak audit findings are vague and moralising.

They say things like, "Process should be improved" or "Evidence was incomplete." That helps nobody.

A useful finding should state:

  • what requirement was being tested
  • what evidence was reviewed
  • what gap was found
  • why it matters
  • what corrective action is needed
  • who should own it

For example:

The access control procedure states quarterly privileged access reviews are required. Evidence was available for Q1 and Q2, but no Q3 review record was produced for the infrastructure admin group. This creates a risk that inappropriate access remains active beyond the organisation's approved review window. The control owner should complete the overdue review and implement a tracked schedule to prevent recurrence.

That gives management something clear to act on.

A Sensible Cadence for Small Organisations

I would not recommend one giant annual internal audit and nothing else.

A better pattern is:

  • an annual audit programme covering the full ISMS
  • lighter quarterly audits on higher-risk areas
  • targeted follow-up where nonconformities or major changes exist
  • immediate extra review after material incidents, supplier failures, or major structural change

This keeps the workload manageable and improves the quality of evidence because you are not trying to reconstruct a year's worth of activity in one go.

It also helps board and leadership reporting. If the ISMS is being checked steadily, your updates become cleaner and more credible. That matters when compliance work needs budget, priority, or operational changes. I touched on that wider reporting discipline in IT metrics board reporting. Good governance gets easier when the evidence is routine rather than last-minute.

The Bottom Line

A good ISO 27001 internal audit should leave you with a clearer view of reality.

Not just whether the right documents exist, but whether the system is being followed, whether controls are operating, and whether leadership can trust the picture they are being shown.

For small teams, that means keeping the method practical.

Plan the audit properly. Keep it independent enough to be credible. Test live evidence, not just paperwork. Write findings people can act on. Follow through.

Do that consistently and internal audit stops being a compliance tax. It becomes one of the fastest ways to find drift before your certification body, your customers, or a real incident finds it for you.

If you need help turning ISO 27001 from a documentation project into a working management system, my IT compliance services are designed for exactly that problem.

Top comments (1)

Collapse
 
archound profile image
Miloslav Homer

"You need an audit programme, clear scope, objective evidence, competent auditors, and proper follow-up on what you find."

I agree with this. But that's not easy to achieve at all! And if you follow it up demanding wide technical proficiency of auditors, you're looking at a costly exercise, even if it goes great.

The conclusion is also great: it is much better to discover issues by an internal auditor than by an attacker.