In Clause 9.2 of the ISO 27001:2013 standard, it states that the purpose of the internal audit is to determine whether the ISMS:


  • conforms to the organization’s own requirements for its information security management system; and the requirements of this International Standard;
  • is effectively implemented and maintained.


In a nutshell, the internal auditor is an essential role in reporting to senior management on how the information security management system (ISMS) is performing. In smaller organizations, the internal auditor often helps prepare for the certification or maintenance visit by the lead auditor from a Certification Body, and in this respect needs to have a good knowledge of the requirements and processes involved in the certification audit.


The most important role of the internal auditor, however, is to continually monitor the effectiveness of the ISMS and help senior managers determine if the information security objectives are aligned with the organization’s business objectives.

How many ISO 27001 internal auditors are required?


Whilst smaller organizations may only require one person in this role, medium- and large-sized organizations usually need to appoint a couple of internal auditors from various departments, e.g. HR, finance, sales, IT, etc. Appointing internal auditors by departments scales up the responsibility and reduces the risk for mistakes that could arise from under-resourcing. Appointing internal auditors by department also improves the integrity of the ISO 27001 CAPA (Corrective and Preventive Action) program.


Being able to rely on an ISO 27001 ISMS internal auditor is very useful during the implementation phase of the ISO 27001 ISMS project, as his or her role is to provide strategic guidance and set goals for the audit program. The internal auditor plays a major role after the completion of the ISMS project and once ISO 27001-compliance has been achieved by reviewing and maintaining compliance.

Who can become an internal auditor?


Senior managers make good candidates for internal auditors. For example, HR managers can particularly benefit from qualifying as internal auditors as they are used to ensuring policies are kept up-to-date with standards and acts, such as the Data Protection Act (DPA). Becoming part of the ISO 27001 ISMS team can make their job easier as they’ll already be up-to-speed with meeting the relevant requirements.


Becoming an ISO 27001 ISMS Internal Auditor provides professionals with generic auditing skills which can be used in different environments (not just in the context of ISO 27001 compliance). Internal Auditors are also valuable to an organization for auditing third party suppliers and partners to ensure they have adequate security controls in place.


A trainer for DATASEC AFRICA ISO 27001 ISMS Internal Auditor Training Course, Satish Meda says he always aim to help trainees look beyond pure compliance as it’s important that they have their eyes set on improvement too. Satish provides his trainees with hints and tips on ways to approach auditing, both from an auditor’s perspective and that of an auditee to make the process simpler and more successful.

Train as an ISO 27001 internal auditor


Our ISO27001 Certified ISMS Internal Auditor training course provides the knowledge and skills required to perform ISO 27001 internal audits that deliver compliance and drive the continual improvement of an organization’s ISMS.



No Comment

You can post first response comment.

Leave A Comment

Please enter your name. Please enter an valid email address. Please enter a message.