Before the audit starts
Make the audit valuable
The internal audit should surface system weaknesses early, not just prove that a calendar event happened.
Evidence to prepare
Gather:
- ISMS scope
- Risk assessment and treatment plan
- Statement of applicability
- Policies and procedures
- Training records
- Asset and vendor inventories
- Access review evidence
- Incident records
- Corrective action tracker
- Management review records
During the audit
Use structured notes:
- Process reviewed
- Evidence inspected
- Owner interviewed
- Observation or finding
- Severity
- Recommended action
- Responsible owner
- Due date
After the audit
Do not let findings sit in a report. Add corrective actions to an owner-tracked workflow. Review progress in the ISMS operating cadence and management review.
The best internal audit improves the management system. If the same finding repeats every cycle, the corrective action process is not working.