Contact
ISO 27001
Information Security Management System (ISMS)
ISO 27001 ISMS Audit And Review Process

ISO 27001 ISMS Audit and Review Process: Complete Guide to Internal, External, and Certification Audits

The audit and review process is one of the most important pillars of ISO 27001. It ensures your Information Security Management System (ISMS) is working as intended, risks are managed effectively, controls are operating correctly, and continual improvement is actively taking place. This guide explains every component of the ISO 27001 audit lifecycle — internal audits, external audits, certification audits, surveillance audits, and management reviews — and shows you how to prepare, what evidence auditors expect, and how to maintain long-term compliance.

Lucy Murphy
Head of Customer Success
Ask AI to summarize ISO 27001 ISMS Audit And Review Process

Understanding the Purpose of ISMS Audits and Reviews

Why Audits Are a Core Requirement of ISO 27001

Audits are required to verify whether an organisation’s ISMS is functioning, effective, and aligned with ISO 27001 requirements. They provide independent evidence that policies, controls, and processes are not just documented but actually operating. Without audits, an organisation cannot demonstrate conformity to the standard and cannot maintain certification.

How Audits Support Continual Improvement

Audits highlight issues, inefficiencies, and areas for improvement. They help leadership understand whether risk management is effective, whether controls are working as expected, and whether new risks have emerged. Opportunities for improvement discovered during audits feed directly into corrective actions and continual improvement cycles required under Clause 10.

Difference Between Audits, Reviews, and Monitoring Activities

Audits are structured evaluations of compliance.
Management reviews are strategic assessments performed by top management under Clause 9.3.
Monitoring activities are operational checks performed regularly to ensure controls are functioning. All three work together to keep the ISMS healthy, effective, and continually improving.

Types of ISO 27001 Audits

First-Party Audits (Internal Audits)

Internal audits are performed by the organisation itself or by independent internal auditors to verify conformity with ISO 27001. These are mandatory under Clause 9.2 and must be performed at planned intervals.

Second-Party Audits (Customer or Supplier Audits)

These audits are initiated by customers or partners who want assurance that your ISMS is effective and that sensitive data is protected. They are common in SaaS, finance, healthcare, and supply chain organisations.

Third-Party Audits (Certification Audits)

Certification audits are performed by accredited certification bodies. These determine whether you meet ISO 27001 requirements and whether certification can be issued or maintained.

When Each Audit Type Is Required

Internal audits: annually or more frequently depending on risk.
Second-party audits: driven by contracts, customer expectations, or security questionnaires.
Certification audits: during initial certification, surveillance years, and recertification cycles.

What Evidence Each Audit Typically Examines

Auditors commonly review:

  • Policies and procedures
  • Risk assessments and treatment plans
  • Annex A control evidence
  • Logs, monitoring reports, and metrics
  • Training records
  • Incident response documentation
  • Supplier evaluations
  • Internal audit results
  • Management review minutes

The ISO 27001 Audit Lifecycle

Annual Audit Planning and Risk-Based Scheduling

Internal audits must follow a documented audit program. This program outlines when audits occur, what areas will be audited, and which risks determine audit frequency. High-risk areas (cloud infrastructure, supplier management, access control) are audited more frequently.

Audit Preparation: Scope, Criteria, and Checklists

Preparation involves defining:

  • Audit scope: processes, departments, locations
  • Audit criteria: ISO 27001 requirements, internal policies, Annex A controls
  • Audit methods: interviews, sampling, evidence review

Checklists based on Clauses 4–10 and Annex A simplify preparation and ensure the audit is comprehensive.

Conducting the Audit: Interviews, Sampling, and Evidence Review

Auditors interview employees, observe processes, and request evidence. They use sampling techniques to examine a subset of activities, such as reviewing incident logs, user access reviews, or change management tickets.

Audit Reporting and Findings

After the audit, findings are documented. These include:

  • Conformities
  • Nonconformities
  • Observations
  • Opportunities for improvement (OFIs)

Each finding must be clear, evidence-based, and referenced to a clause in ISO 27001.

Corrective Actions and Verification

When nonconformities are identified, organisations must perform root cause analysis, implement corrective actions, and provide evidence. Auditors verify actions have been completed.

NCs vs OFIs (Nonconformities and Opportunities for Improvement)

Nonconformities require mandatory action.
OFIs are optional improvements but often help strengthen future audits.

The Five-Step Audit Process Explained

Step 1 – Audit Initiation and Planning

Auditors establish the audit plan, identify audit objectives, confirm scope, allocate resources, and share schedules with involved teams.

Step 2 – Document Review

Auditors examine policies, procedures, risk assessments, SoA, and monitoring activities to determine whether ISMS design meets ISO 27001 requirements before testing operations.

Step 3 – On-Site or Remote Audit Activities

Auditors conduct interviews, review logs, sample controls, validate procedures, and determine whether controls are operating effectively. Evidence sampling is used to confirm consistency.

Step 4 – Reporting and Findings

The audit report includes all findings, classifications of nonconformities, and recommendations for improvement. The organisation must respond with corrective action plans.

Step 5 – Follow-Up and Closure

Corrective actions are validated. When all issues are resolved, the audit is formally closed. Certification audits move to decision-making by the certification body.

Internal Audit Requirements Under ISO 27001 (Clause 9.2)

How to Develop an Internal Audit Program

A compliant audit program must:

  • Define audit frequency
  • Assign auditors and responsibilities
  • Establish scope and methodology
  • Address risk-prioritised audit scheduling
  • Document audit criteria

The audit program must be updated as the ISMS evolves.

Selecting Qualified Internal Auditors

Auditors must understand ISO 27001, audit techniques, and the systems they evaluate. They must also be competent in evidence gathering, interviewing, and reporting.

Ensuring Impartiality and Objectivity

Auditors cannot audit their own work. Independence is critical to ensuring valid audit results.

When to Use External Internal Auditors

Organisations may use external auditors when internal expertise is limited, when teams are small, or when impartiality cannot be guaranteed.

Evidence Required for Internal Audits

Evidence commonly includes:

  • Change control logs
  • Access reviews
  • Incident reports
  • Backup test results
  • Training records
  • Monitoring reports
  • Policy acknowledgements

Management Review Requirements (Clause 9.3)

What Must Be Reviewed by Top Management

Top management must regularly review:

  • ISMS performance
  • Risk status
  • Incident trends
  • Control effectiveness
  • Resource requirements
  • Opportunities for improvement
  • Alignment with business objectives

Inputs Required for the Management Review

Inputs must include:

Audit Results

Internal and external audit outcomes.

Nonconformities

Corrective actions and root cause analysis.

Risk Assessment Updates

New risks, residual risks, and risk treatment progress.

Control Performance

Monitoring outputs, metrics, KPIs, and incidents.

Resource Needs

Budget, staffing, training, and tooling requirements.

Outputs Required — Decisions, Improvements, and Actions

Management review outputs must include decisions on:

  • Changes to the ISMS
  • Improvement initiatives
  • Resource allocation
  • Risk acceptance or escalation
  • Policy updates

How Often Management Reviews Must Occur

ISO 27001 requires management reviews at planned intervals, typically annually. High-risk or rapidly evolving organisations may conduct them quarterly.

Steps for ISO 27001 Certification Audits (Stage 1 and Stage 2)

Pre-Certification Readiness Assessment

A pre-certification readiness assessment confirms whether documentation, evidence, and ISMS governance are mature enough for Stage 1.

Stage 1 Audit — Documentation and ISMS Design Review

Stage 1 examines whether ISMS documentation meets ISO requirements.

What Auditors Look For in Stage 1

Auditors focus on:

  • ISMS scope
  • Risk assessment methodology
  • Risk register
  • SoA
  • Policies and procedures
  • Internal audit results
  • Management review minutes

If major gaps exist, Stage 2 cannot begin.

Stage 2 Audit — Full ISMS Implementation Review

Stage 2 verifies operational effectiveness. Auditors check whether controls are working and whether staff follow documented processes.

How Evidence Sampling Works

Auditors select samples of activities such as:

  • Access requests
  • Change tickets
  • Incident logs
  • Vulnerability scans
  • Supplier evaluations

Team Interviews and Operational Validation

Employees are interviewed to validate understanding of processes, responsibilities, and security practices.

Certification Decision Process

The certification body reviews all findings before issuing an ISO 27001 certificate. Certification is valid for three years.

The Six Stages of the ISO 27001 Certification Process

Stage 1 — Define ISMS Scope and Requirements

Identify boundaries, stakeholders, legal obligations, and assets.

Stage 2 — Conduct Risk Assessment and Select Controls

Perform assessments and build the SoA and RTP.

Stage 3 — Implement ISMS and Required Documentation

Roll out controls, policies, processes, and evidence management.

Stage 4 — Perform Internal Audit and Management Review

Confirm readiness before external certification audits.

Stage 5 — Undergo Stage 1 and Stage 2 External Audits

Certification auditors validate the ISMS design and operation.

Stage 6 — Receive Certification and Begin Surveillance Cycle

Certification is issued, followed by Year 1 and Year 2 surveillance audits.

Surveillance and Recertification Audits

Year 1 and Year 2 Surveillance Audit Requirements

Surveillance audits confirm continuous compliance. They are narrower in scope than Stage 2 but still require updated evidence, risk assessments, metrics, and corrective actions.

What Auditors Verify During Surveillance

Auditors check:

  • Control performance
  • Monitoring and measurement
  • Risk updates
  • Incident management
  • Internal audits
  • Management reviews
  • Documentation currency

Recertification Audit at Year 3

The recertification audit is more extensive and reassesses the ISMS holistically.

Evidence Depth and Scope Reassessment

Auditors revalidate:

  • Scope
  • Risk treatment
  • SoA
  • Documentation
  • Long-term control effectiveness

How Often the ISMS Must Be Reviewed and Improved

Required Frequency for Internal Audits

Internal audits must occur annually at minimum. High-risk areas may require more frequent review.

Required Frequency for Management Reviews

Management reviews are typically annual but may occur more often if risk levels or organisational changes require it.

Continuous Improvement Expectations

ISO 27001 requires continual improvement. This includes updating processes, closing audit findings, improving efficiencies, and maturing the ISMS over time.

Common Audit Challenges and How to Avoid Them

Missing or Outdated Documentation

Old policies, obsolete procedures, or incomplete evidence lead to nonconformities. Documents must always reflect current practices.

Poorly Defined Scope or Risk Assessment Criteria

Scope errors cause major audit failures. Risk criteria must be clear, consistent, and applied uniformly.

Not Maintaining Evidence Throughout the Year

Evidence cannot be fabricated at audit time. It must be collected continuously.

Failing to Track Corrective Actions Properly

Corrective actions must be documented, assigned, implemented, and validated.

Overreliance on External Consultants

Consultants can assist, but internal ownership is essential. Auditors expect employees — not consultants — to understand the ISMS.

Best Practices for a Smooth ISO 27001 Audit

Preparing Audit Trails and Evidence in Advance

Evidence should be stored in a structured system that auditors can navigate easily. ISMS platforms reduce audit stress significantly.

Ensuring Employee Competence Before Interviews

Employees must understand policies, follow processes, and be able to explain their responsibilities during audits.

Keeping Policies and Procedures Up to Date

Policies should match actual practice. Discrepancies result in nonconformities.

Using Audit Management Tools for Efficiency

Platforms help automate evidence collection, track audit findings, assign corrective actions, and maintain control performance dashboards.

Strengthen Your Audit and Review Process with Hicomply

ISO 27001 audits can be complex, time-consuming, and stressful without the right systems in place. Hicomply streamlines internal audits, evidence collection, management reviews, and certification preparation with automated workflows, built-in templates, and real-time ISMS dashboards. Book a demo to see how Hicomply removes complexity and helps you stay audit-ready all year.

Book a demo: https://www.hicomply.com/book-a-demo

Ready to Take Control of Your Privacy Compliance?

Hicomply’s platform provides an all-in-one solution to streamline, automate, and centralise your compliance activities, ensuring complete control and efficiency.

Book a demo
Last updated
December 5, 2025
Category
Information Security Management System (ISMS)
Topics
No items found.
Lucy Murphy
Head of Customer Success

Lucy works closely with customers to help them get the most out of the Hicomply platform, from onboarding to audit success. She brings a user-focused mindset to everything she does, making her well-placed to write about day-to-day challenges, shortcuts, and success strategies. Her content is grounded in what real InfoSec and compliance teams need to know — and how to get there faster.Expect helpful walkthroughs, product tips, and practical insights.

Read more industry insights by Lucy Murphy

Popular ISO 27001 ISMS Audit And Review Process queries, answered!

What are the steps for an ISO 27001 audit?

The steps include planning, document review, interviews and sampling, reporting, corrective actions, and verification. External certification audits occur in two stages: Stage 1 for documentation and Stage 2 for operational effectiveness.

How often should the ISMS be reviewed and improved?

ISMS reviews must occur at planned intervals, typically annually for internal audits and management reviews. Continual improvement should happen throughout the year as risks, controls, and business conditions evolve.

What is the 5-step audit process?

The five steps are planning, document review, on-site or remote activities, reporting, and follow-up. This process applies to internal, second-party, and third-party audits.

What are the 6 stages of the ISO 27001 certification process?

The six stages are defining scope, conducting risk assessments, implementing the ISMS, performing internal audits and management reviews, undergoing external certification audits, and entering the surveillance cycle.

What is the audit lifecycle of ISO 27001?

The audit lifecycle includes annual planning, preparation, execution, reporting, follow-up, and periodic surveillance audits. It repeats throughout the ISMS certification cycle to ensure ongoing compliance and continual improvement.

Contents

Heading 2

Unlock Your Path to ISO 27001 Success

Download our Ultimate ISO 27001 Compliance Checklist for clear, step-by-step guidance to fast-track your certification.

Get the Checklist

End to end ISO 27001 compliance documentation

Your hub for the fundamentals of ISO 27001 compliance, curated best practices, and resources for GRC professionals.

ISO 27001 Overview

Achieve ISO 27001 Certification

ISO 27001 is the globally recognised standard for building a structured Information Security Management System (ISMS) that protects the confidentiality, integrity and availability of information. This article explains what ISO 27001 is, how it works, the core principles behind it, and what organisations must do to achieve certification. You’ll learn the standard’s structure, its key requirements, how the certification process unfolds, and the practical steps needed to implement an ISMS that is both compliant and effective.

Learn more about Achieve ISO 27001 Certification

Benefits Of ISO 27001 For Businesses

ISO 27001 certification is one of the most credible ways for businesses to prove they protect sensitive information with structure, consistency, and internationally recognised best practice. This guide explains what ISO 27001 certification is, why companies pursue it, the core business benefits, the costs involved, and how organisations of any size can achieve and maintain certification. Whether you're preparing for your first audit or strengthening your security posture, this article gives you the clarity, detail, and practical steps to move forward with confidence.

Learn more about Benefits Of ISO 27001 For Businesses

History And Evolution Of ISO 27001

ISO 27001 is now recognised as the world’s leading standard for managing information security, but its journey spans decades of technological change, emerging cyber threats, and global collaboration. This article traces the origins of ISO 27001, from its earliest foundations to the modern 2022 revision. You’ll learn how the framework developed, why it became globally adopted, how ISO 27002 fits into the picture, and how ISO standards evolved more broadly over time.

Learn more about History And Evolution Of ISO 27001
ISO 27001:2022 Requirements

Actions To Address Risks And Opportunities | Clause 6.1

Clause 6.1 of ISO 27001 defines how organisations must identify, assess, and treat information security risks — and how they must uncover opportunities to strengthen their Information Security Management System (ISMS). This clause acts as the engine of the ISO framework: it drives risk-based thinking, aligns controls to real-world threats, and ensures continual improvement. In this guide, we break down Clause 6.1 line by line, explain its relationship with Annex A, show you what documentation is required, and provide examples and best practices to help you implement it correctly and confidently.

Learn more about Actions To Address Risks And Opportunities | Clause 6.1

ISO27001 Awareness | Clause 7.3

In this article, we explore everything you need to know about ISO 27001 Clause 7.3—its purpose, what the standard requires, how awareness strengthens your ISMS, and how to build a practical, auditor-ready awareness program that supports continuous security improvement.

Learn more about ISO27001 Awareness | Clause 7.3

ISO 27001 Communication | Clause 7.4

In this guide, we break down exactly what ISO 27001 Clause 7.4 requires, why structured communication is essential to an effective ISMS, and how organisations can build a clear, compliant communication process supported by practical, real-world examples.

Learn more about ISO 27001 Communication | Clause 7.4
Information Security Management System (ISMS)

ISO 27001 ISMS Audit And Review Process

The audit and review process is one of the most important pillars of ISO 27001. It ensures your Information Security Management System (ISMS) is working as intended, risks are managed effectively, controls are operating correctly, and continual improvement is actively taking place. This guide explains every component of the ISO 27001 audit lifecycle — internal audits, external audits, certification audits, surveillance audits, and management reviews — and shows you how to prepare, what evidence auditors expect, and how to maintain long-term compliance.

Learn more about ISO 27001 ISMS Audit And Review Process

ISO 27001 ISMS Continuous Improvement Cycle

In this end-to-end guide, you’ll learn how continual improvement works in ISO 27001, why it’s essential for long-term security maturity, how the PDCA cycle operates inside an ISMS, and what processes, documentation, and actions are required to maintain compliance year after year.

Learn more about ISO 27001 ISMS Continuous Improvement Cycle
Annex A Controls — Organizational
No items found.
Annex A Controls — People
No items found.
Annex A Controls — Physical
No items found.
Annex A Controls — Technological
No items found.
ISO 27001 Certification Process
No items found.
ISO 27001 Audit Preparation
No items found.
Automating ISO 27001 Compliance
No items found.
ISO 27001 Resources And Tools
No items found.

Your ISO 27001 Compliance Newsletter

Stay ahead with the latest expert insights, news, and updates on compliance.
Decorative