Information Security Management
ISO 27001 Internal Audit Service
Learn about my Internal Auditing Service
My internal audit service will tell you quickly where your business stands against the ISO 27001 benchmark.
I’m UK-based, but delivering services globally. My internal audit is designed for smaller businesses that want assurance before their external audit or are unable to maintain the impartiality required by Clause 9 of ISO 27001.
Alan from Iseo Blue truly came to our rescue. His support ahead of our internal audit was outstanding, and he helped us get our ISMS 100% ready for the Phase 2 audit.“
– Jair Ross, Quartile
(Internal Audit Client)
How it works.
Designed specifically for small-to-medium businesses, the audit can be conducted remotely or on-site, in one go, or in bite-sized sessions over a week or two.
The key activities are as follows;
A scoping call
We agree on the audit scope, plan the best approach in terms of timing, sessions and requirements, and I’ll tell you exactly what evidence to have ready.
Document review
You share access to your ISMS documentation. I review your policies, procedures, risk register, SoA, and supporting records remotely.
Audit interviews
I conduct interviews with your relevant team members; typically, your ISMS lead and one or two process owners to verify that documented procedures reflect actual practice.
Report delivery
Within five working days of the interviews, you will receive your completed audit report and nonconformity log, ready to share with your certification body.
What you receive
Who it’s for
Organisations seeking confidence in their ISMS before commencing an expensive certification process.
SMEs that lack the resources to conduct an independent internal audit.
This service works well for organisations approaching their initial certification audit who want a dry run before the external audit, or for those already certified who want to conduct their routine internal audit in accordance with the standard’s requirements.
It is not the right fit for organisations that have not yet built their ISMS — if you are still building your management system, the ISO 27001 consultancy service is the more appropriate starting point — if you have it all built and haven’t yet pressed the ‘go’ button, then that also can be a good time.
Pricing
The ISO 27001 internal audit service is priced at a fixed fee of £2,500 + VAT (where applicable).
There are no hidden extras. The fee covers the scoping call, document review, audit interviews, and the final report.
Guarantee
If your certification body raises a nonconformity that I didn’t flag in my audit report, I’ll help you address it at no charge.
What an ISO 27001 internal audit actually involves
An internal audit is a mandatory component of ISO 27001. It’s a structured review of your Information Security Management System against the requirements of ISO 27001.
The audit checks whether your controls are implemented as intended, working, and being maintained. The output is a formal audit report and a nonconformity log — records your certification body will expect to see at your surveillance audit.
The audit covers: your documentation, risk treatment plan and Statement of Applicability, whether your documented procedures match what’s actually happening, evidence of management review, training records, incident logs, and the effectiveness of any previous corrective actions.
Why SMEs outsource their internal audit
The standard is explicit: internal auditors must be capable, objective and impartial.
If the same person who implemented your controls is also auditing them, you have a conflict of interest — and an auditor from your certification body will notice.
Many SMEs don’t have a spare qualified staff member who isn’t involved in the ISMS. The choices are: train someone in-house (time-consuming), hire a freelance auditor (expensive and often impersonal), or work with a specialist who understands both the standard and the SME context. That’s where I come in.
Frequently asked questions
How long does the audit take?
It depends, but the process typically runs over two to three weeks from scoping call to final report. The actual audit interviews are either conducted in a single day, or split into several sessions over perhaps a week, depending on team commitments and preferences.
Can you conduct the audit if we built our ISMS ourselves?
Yes — in fact, this is the most common scenario. Self-built ISMS implementations are exactly where independent audit adds most value, because objectivity is hardest to maintain internally.
Will this satisfy our certification body?
Yes. The audit report and nonconformity log I produce meet the documentary requirements of ISO 27001 Clause 9.2 and are formatted to align with what accredited certification bodies expect. Findings will be marked in alignment with Major and Minor Nonconformities, Opportunities for Improvement and Observations.
Do we need to have worked with you previously?
No. This is a standalone service. If you have an existing ISMS — whether you built it with my help, through the DIY course, or independently — I can conduct the audit.
Is this service available internationally?
Yes. Sessions are conducted remotely via video call, so location is no barrier. I have worked with organisations across the UK, EU, USA, New Zealand, and beyond.
Do you do on-site audits in the UK?
If geographically feasible (i.e., south of England), then yes. I’m happy to conduct an on-site audit and do so occasionally.
Ready to book your internal audit?
If your surveillance audit is coming up, or you want to give your ISMS a proper independent review before it does, book a free 30-minute scoping call. I’ll confirm whether the service is right for your situation and answer any questions before you commit.