Standardise
PricingSupportSign inGet started

Internal Audits

Plan and conduct internal ISMS audits, track findings, manage corrective actions, and demonstrate continual improvement.

Overview

Internal audits are a mandatory requirement of ISO 27001 and a key mechanism for verifying that your ISMS is operating effectively. The Internal Audits module in Standardise helps you plan audits, define their scope and criteria, record findings, and track corrective actions through to completion. A well-managed internal audit programme demonstrates to certification bodies that your organisation takes continual improvement seriously.

Planning an Audit

To create an audit, click the Create Audit button and provide the following information:

  • Title— A descriptive name (e.g. “Q2 2026 Access Control Review”).
  • Scope — Which areas, processes, or controls the audit will cover. This might be a specific Annex A category, a department, or a particular process.
  • Criteria — The standards or requirements the audit will assess against (e.g. ISO 27001:2022 Annex A.8, organisational access control policy).
  • Lead Auditor — The team member responsible for conducting the audit. The auditor should be independent of the area being audited where possible.
  • Planned Date — When the audit is scheduled to take place.

Audit Status Workflow

Each audit progresses through a defined lifecycle:

  • Planned — The audit has been scheduled but not yet started.
  • In Progress — The audit is actively being conducted; evidence is being gathered and interviews performed.
  • Completed — The audit has concluded and findings have been documented.
  • Cancelled — The audit was cancelled (with documented justification).

Findings and Corrective Actions

During or after an audit, you can record findings against the audit. Each finding captures:

  • The nature of the finding (nonconformity, observation, or opportunity for improvement).
  • A description of what was observed and why it is a concern.
  • The corrective action required to address the finding, including an assigned owner and target completion date.

Tracking findings through to resolution is critical for demonstrating continual improvement to auditors. Unresolved findings from previous audits are a common area of focus during certification audits.

Audit Statistics and Export

The module dashboard displays summary statistics including total audits, audits by status, and findings counts. All audit data can be exported to CSV for reporting to management or inclusion in management review packs.

ISO 27001 Mapping

Internal audits are required by Clause 9.2of ISO 27001:2022. The standard requires organisations to conduct internal audits at planned intervals to determine whether the ISMS conforms to the organisation's own requirements and the requirements of ISO 27001, and whether it is effectively implemented and maintained. Clause 9.2.1 defines the general requirements, while Clause 9.2.2 specifies what the internal audit programme must consider, including the importance of processes, results of previous audits, and actions to address identified nonconformities.

Related Articles

ISO 27001 Guide
Clause 9: Performance Evaluation
Monitoring, measurement, analysis, internal audits, and management reviews to evaluate ISMS effectiveness.
ISMS Modules
Evidence Collection
Upload, track, and manage audit evidence with file integrity checks, encrypted storage, and control mapping for ISO 27001 compliance.
ISMS Modules
Document Management
Create, version, and approve ISMS documents using 27 ISO 27001 templates, a WYSIWYG editor, and structured approval workflows.
← Back to Help Center