We have been doing some internal audits as part of the ISO27001 certification for our clients. We are undertaking the audits on behalf of clients. Clients frequently do not have the skills, knowledge or time to do the internal audits in-house. It also means that they are getting an experienced internal auditor who understands what’s required by the standard. Each internal audit has the potential to pick up areas of nonconformity and areas for improvement.

Internal audits are a requirement of the ISO27001 standard and you have to cover all areas of the standard over the certification year. Generally, we break our audits down into quarterly internal audits and the standard is covered throughout the year and means that there are regular audits. It’s not all undertaken just before the certification audit. Internal audits are always a bit of a challenge because you don’t know what’s going to come up but they are a good way to understand if you’re still meeting the requirements of the standard.

We would much rather pick up an issue at an internal audit. You wouldn’t to get to a surveillance audit and the non-conformity potentially cost the certification for our client.

Can internal audits be undertaken in-house?

Although we provide the service for many of our clients, internal audits can be undertaken by somebody in-house who has the required skills and time to undertake the audits. If you are a small business, sometimes there just isn’t someone who meets that criteria.

The audits we have undertaken this week have been with a mix of clients. Some of whom are just embedding their ISMS and so there is more scope for non-conformities and opportunities for improvement. We aim to make the internal audits a positive experience, so we will also note things that are going well.

I would love to know what you do about the internal audits at your organisation.

If you need help with internal audits or want to find out more check out this page