ISO 27001 internal audit prep checklist

A checklist for making internal audits useful, repeatable, and less disruptive to operators.

Sarah Jenkins

By Sarah Jenkins

Regulatory & Compliance Analyst · 6 min read

Before the audit starts

Confirm scope and process areas under review
Gather current policies and procedures
Review recent risk and treatment updates
Confirm evidence owners for sampled controls
Collect previous internal or external findings
Prepare follow-up tracking for observations and actions
Confirm the audit criteria and clauses or controls being tested
Check that asset and vendor inventories are current
Review the statement of applicability for recent changes
Schedule interviews with process owners
Define how findings will be rated and assigned

Make the audit valuable

The internal audit should surface system weaknesses early, not just prove that a calendar event happened.

Evidence to prepare

Gather:

  • ISMS scope
  • Risk assessment and treatment plan
  • Statement of applicability
  • Policies and procedures
  • Training records
  • Asset and vendor inventories
  • Access review evidence
  • Incident records
  • Corrective action tracker
  • Management review records
The auditor may not review every artifact, but having them organized reduces disruption.

During the audit

Use structured notes:

  • Process reviewed
  • Evidence inspected
  • Owner interviewed
  • Observation or finding
  • Severity
  • Recommended action
  • Responsible owner
  • Due date
Internal audit should be collaborative but independent. The purpose is to find weaknesses early enough to fix them before certification or surveillance review.

After the audit

Do not let findings sit in a report. Add corrective actions to an owner-tracked workflow. Review progress in the ISMS operating cadence and management review.

The best internal audit improves the management system. If the same finding repeats every cycle, the corrective action process is not working.

Keep the momentum

Turn this guidance into a working program

CloudAnzen helps teams connect evidence, review failing controls, manage risk, and stay audit-ready across frameworks from one place.